#4779 Winsync: Setup is broken due to incorrect import of certificate
Closed: Fixed None Opened 4 years ago by tbabej.

When setting up winsync replication, DS needs to trust AD CA:

[tbabej@vm-124 labtool]$ sudo certutil -d /etc/dirsrv/slapd-DOM124-TBAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

DOM124.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA                CT,C,C
Server-Cert                                                  u,u,u
CN=advm.tbad.idm.lab.eng.brq.redhat.com                      CT,C,C
CN=tbad-ADVM-CA,DC=tbad,DC=idm,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com CT,C,C

Note the flags in the last certificate.

However, when setting up winsync, it blows up due to TLS error (Peer's issuer not recognized).

[tbabej@vm-124 labtool]$ sudo ipa-replica-manage connect -p blablabla --winsync --binddn cn=Administrator,cn=Users,dc=tbad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com --bindpw Secret123456 --passsync Secret123456 --cacert /home/tbabej/a
d_ca_cert.cer advm.tbad.idm.lab.eng.brq.redhat.com -v -f
Added CA certificate /home/tbabej/ad_ca_cert.cer to certificate database for vm-124.dom124.tbad.idm.lab.eng.brq.redhat.com
ipa: INFO: AD Suffix is: DC=tbad,DC=idm,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=dom124,dc=tbad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: -11  - LDAP error: Connect error: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.

[vm-124.dom124.tbad.idm.lab.eng.brq.redhat.com] reports: Update failed! Status: [-11  - LDAP error: Connect error]

Failed to start replication

The culprit here is that winsync setup tries to import the CA cert and sets wrong flags:

[tbabej@vm-124 labtool]$ sudo certutil -d /etc/dirsrv/slapd-DOM124-TBAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

DOM124.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA                CT,C,C
Server-Cert                                                  u,u,u
CN=advm.tbad.idm.lab.eng.brq.redhat.com                      CT,C,C
CN=tbad-ADVM-CA,DC=tbad,DC=idm,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com ,,

This effectively means user is unable to setup the winsync replication with 4.1 and there is no workaround other than modifying the IPA source code.


The problem here is that load_cacert method is using incorrect detection for detecting whether a certificate belongs to CA, which only works for IPA CA certs.

master:

  • faec4ef certs: Fix incorrect flag handling in load_cacert

ipa-4-1:

  • db4ac47 certs: Fix incorrect flag handling in load_cacert

Metadata Update from @tbabej:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 4.1.3

2 years ago

Login to comment on this ticket.

Metadata