Re: [Freeipa-users] IPA 2.2 Windows 2008R2 sync
Rich Megginson wrote: On 08/03/2012 09:50 AM, Baptiste AGASSE wrote: Hi, Hi all, i've a problem with winsync between ipa 2.2 on centos 6.3 and Active directory 2008R2. I'm following this documentation to enable synchronization: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html There is nothing on this page about running certutil? Which link talks about certutil? Links present in the documentation talk about commands and options for certutil but i don't see anything about this error. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html I agree, I don't think this is necessary either. I'm not sure if this originated in the 389-ds docs or we provided Deon (or David) with bad information long ago. rob Can one of the IPA developers explain why it is necessary to install the IPA CA certificate into the Windows Cert Store in order to get Winsync/PassSync working? I don't believe it is necessary. For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active Directory and IPA CA Certificates I a newbie on Microsoft OSes, but I don't understand why certutil don't find my file. I will ask on a microsoft forum. Regards When i run as admin 'certutil -installcert -v -config ipa.foo.example.local\EXAMPLE.LOCAL Domain CA c:\Users\John\Documents\ipa-ca.crt' it returns (translated from french) : CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) CertUtil: Specified file not found someone saw this issue ? Have a nice day. Regards. Baptiste. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA 2.2 Windows 2008R2 sync
Hi, Hi, Hi all, i've a problem with winsync between ipa 2.2 on centos 6.3 and Active directory 2008R2. I'm following this documentation to enable synchronization: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html There is nothing on this page about running certutil? Which link talks about certutil? Links present in the documentation talk about commands and options for certutil but i don't see anything about this error. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html Can one of the IPA developers explain why it is necessary to install the IPA CA certificate into the Windows Cert Store in order to get Winsync/PassSync working? I don't believe it is necessary. For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active Directory and IPA CA Certificates - I trusted IPA certificate on AD. To do this, i've launched mmc and added Certificate component for local computer, and then added IPA cert to Trusted root CA. Now when i run openssl s_client -host ad-server.example.com -port 636 i can see IPA certificate as Trusted client CA. - I tested AD ldap connection: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-EXAMPLE-LOCAL ldapsearch -xLLL -H ldap://ad-server.example.com -ZZ -D cn=ipasync,cn=users,dc=example,dc=com -w X -s base -b 'objectclass=*' namingcontexts dn: namingContexts: DC=example,DC=com namingContexts: CN=Configuration,DC=example,DC=com namingContexts: CN=Schema,CN=Configuration,DC=example,DC=com namingContexts: DC=DomainDnsZones,DC=example,DC=com namingContexts: DC=ForestDnsZones,DC=example,DC=com - Now i fall on another problem, when i run: ipa-replica-manage connect --winsync --binddn cn=ipasync,cn=users,dc=example,dc=com --bindpw X --passsync X --cacert /etc/openldap/cacerts/ad-ca.crt ad-server.example.com -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/ad-ca.crt to certificate database for ipa.foo.example.local ipa: INFO: AD Suffix is: DC=example,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - System error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipa.foo.example.local] reports: Update failed! Status: [-11 - System error] Failed to start replication I a newbie on Microsoft OSes, but I don't understand why certutil don't find my file. I will ask on a microsoft forum. Regards When i run as admin 'certutil -installcert -v -config ipa.foo.example.local\EXAMPLE.LOCAL Domain CA c:\Users\John\Documents\ipa-ca.crt' it returns (translated from french) : CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) CertUtil: Specified file not found someone saw this issue ? Have a nice day. Regards. Baptiste. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Have a nice day. Regards Baptiste. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA 2.2 Windows 2008R2 sync
On 08/06/2012 02:28 AM, Baptiste AGASSE wrote: Hi, Hi, Hi all, i've a problem with winsync between ipa 2.2 on centos 6.3 and Active directory 2008R2. I'm following this documentation to enable synchronization: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html There is nothing on this page about running certutil? Which link talks about certutil? Links present in the documentation talk about commands and options for certutil but i don't see anything about this error. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html Can one of the IPA developers explain why it is necessary to install the IPA CA certificate into the Windows Cert Store in order to get Winsync/PassSync working? I don't believe it is necessary. For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active Directory and IPA CA Certificates - I trusted IPA certificate on AD. To do this, i've launched mmc and added Certificate component for local computer, and then added IPA cert to Trusted root CA. Now when i run openssl s_client -host ad-server.example.com -port 636 i can see IPA certificate as Trusted client CA. - I tested AD ldap connection: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-EXAMPLE-LOCAL ldapsearch -xLLL -H ldap://ad-server.example.com -ZZ -D cn=ipasync,cn=users,dc=example,dc=com -w X -s base -b 'objectclass=*' namingcontexts dn: namingContexts: DC=example,DC=com namingContexts: CN=Configuration,DC=example,DC=com namingContexts: CN=Schema,CN=Configuration,DC=example,DC=com namingContexts: DC=DomainDnsZones,DC=example,DC=com namingContexts: DC=ForestDnsZones,DC=example,DC=com - Now i fall on another problem, when i run: ipa-replica-manage connect --winsync --binddn cn=ipasync,cn=users,dc=example,dc=com --bindpw X --passsync X --cacert /etc/openldap/cacerts/ad-ca.crt ad-server.example.com -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/ad-ca.crt to certificate database for ipa.foo.example.local ipa: INFO: AD Suffix is: DC=example,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - System error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipa.foo.example.local] reports: Update failed! Status: [-11 - System error] Failed to start replication What platform? What version of 389-ds-base? Can you post some excerpts from your 389 errors log from /var/log/dirsrv/slapd-YOUR-DOMAIN/errors from around the time of the error? I a newbie on Microsoft OSes, but I don't understand why certutil don't find my file. I will ask on a microsoft forum. Regards When i run as admin 'certutil -installcert -v -config ipa.foo.example.local\EXAMPLE.LOCAL Domain CA c:\Users\John\Documents\ipa-ca.crt' it returns (translated from french) : CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) CertUtil: Specified file not found someone saw this issue ? Have a nice day. Regards. Baptiste. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Have a nice day. Regards Baptiste. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA 2.2 Windows 2008R2 sync
Hi, Hi, Hi all, i've a problem with winsync between ipa 2.2 on centos 6.3 and Active directory 2008R2. I'm following this documentation to enable synchronization: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html There is nothing on this page about running certutil? Which link talks about certutil? Links present in the documentation talk about commands and options for certutil but i don't see anything about this error. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html Can one of the IPA developers explain why it is necessary to install the IPA CA certificate into the Windows Cert Store in order to get Winsync/PassSync working? I don't believe it is necessary. For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active Directory and IPA CA Certificates - I trusted IPA certificate on AD. To do this, i've launched mmc and added Certificate component for local computer, and then added IPA cert to Trusted root CA. Now when i run openssl s_client -host ad-server.example.com -port 636 i can see IPA certificate as Trusted client CA. - I tested AD ldap connection: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-EXAMPLE-LOCAL ldapsearch -xLLL -H ldap://ad-server.example.com -ZZ -D cn=ipasync,cn=users,dc=example,dc=com -w X -s base -b 'objectclass=*' namingcontexts dn: namingContexts: DC=example,DC=com namingContexts: CN=Configuration,DC=example,DC=com namingContexts: CN=Schema,CN=Configuration,DC=example,DC=com namingContexts: DC=DomainDnsZones,DC=example,DC=com namingContexts: DC=ForestDnsZones,DC=example,DC=com - Now i fall on another problem, when i run: ipa-replica-manage connect --winsync --binddn cn=ipasync,cn=users,dc=example,dc=com --bindpw X --passsync X --cacert /etc/openldap/cacerts/ad-ca.crt ad-server.example.com -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/ad-ca.crt to certificate database for ipa.foo.example.local ipa: INFO: AD Suffix is: DC=example,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - System error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipa.foo.example.local] reports: Update failed! Status: [-11 - System error] Failed to start replication What platform? What version of 389-ds-base? Can you post some excerpts from your 389 errors log from /var/log/dirsrv/slapd-YOUR-DOMAIN/errors from around the time of the error? That was an TLS error, uploaded wrong AD CA cert on IPA server. Sorry for the noise. I a newbie on Microsoft OSes, but I don't understand why certutil don't find my file. I will ask on a microsoft forum. Regards When i run as admin 'certutil -installcert -v -config ipa.foo.example.local\EXAMPLE.LOCAL Domain CA c:\Users\John\Documents\ipa-ca.crt' it returns (translated from french) : CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) CertUtil: Specified file not found someone saw this issue ? Have a nice day. Regards. Baptiste. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Have a nice day. Regards Baptiste. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA 2.2 Windows 2008R2 sync
On 08/03/2012 02:02 AM, Baptiste AGASSE wrote: Hi all, i've a problem with winsync between ipa 2.2 on centos 6.3 and Active directory 2008R2. I'm following this documentation to enable synchronization: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html There is nothing on this page about running certutil? Which link talks about certutil? When i run as admin 'certutil -installcert -v -config ipa.foo.example.local\EXAMPLE.LOCAL Domain CA c:\Users\John\Documents\ipa-ca.crt' it returns (translated from french) : CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) CertUtil: Specified file not found someone saw this issue ? Have a nice day. Regards. Baptiste. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA 2.2 Windows 2008R2 sync
On 08/03/2012 09:50 AM, Baptiste AGASSE wrote: Hi, Hi all, i've a problem with winsync between ipa 2.2 on centos 6.3 and Active directory 2008R2. I'm following this documentation to enable synchronization: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html There is nothing on this page about running certutil? Which link talks about certutil? Links present in the documentation talk about commands and options for certutil but i don't see anything about this error. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html Can one of the IPA developers explain why it is necessary to install the IPA CA certificate into the Windows Cert Store in order to get Winsync/PassSync working? I don't believe it is necessary. For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active Directory and IPA CA Certificates I a newbie on Microsoft OSes, but I don't understand why certutil don't find my file. I will ask on a microsoft forum. Regards When i run as admin 'certutil -installcert -v -config ipa.foo.example.local\EXAMPLE.LOCAL Domain CA c:\Users\John\Documents\ipa-ca.crt' it returns (translated from french) : CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) CertUtil: Specified file not found someone saw this issue ? Have a nice day. Regards. Baptiste. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
