When setting up winsync replication, DS needs to trust AD CA:
[tbabej@vm-124 labtool]$ sudo certutil -d /etc/dirsrv/slapd-DOM124-TBAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI DOM124.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA CT,C,C Server-Cert u,u,u CN=advm.tbad.idm.lab.eng.brq.redhat.com CT,C,C CN=tbad-ADVM-CA,DC=tbad,DC=idm,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com CT,C,C
Note the flags in the last certificate.
However, when setting up winsync, it blows up due to TLS error (Peer's issuer not recognized).
[tbabej@vm-124 labtool]$ sudo ipa-replica-manage connect -p blablabla --winsync --binddn cn=Administrator,cn=Users,dc=tbad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com --bindpw Secret123456 --passsync Secret123456 --cacert /home/tbabej/a d_ca_cert.cer advm.tbad.idm.lab.eng.brq.redhat.com -v -f Added CA certificate /home/tbabej/ad_ca_cert.cer to certificate database for vm-124.dom124.tbad.idm.lab.eng.brq.redhat.com ipa: INFO: AD Suffix is: DC=tbad,DC=idm,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=dom124,dc=tbad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [vm-124.dom124.tbad.idm.lab.eng.brq.redhat.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] Failed to start replication
The culprit here is that winsync setup tries to import the CA cert and sets wrong flags:
[tbabej@vm-124 labtool]$ sudo certutil -d /etc/dirsrv/slapd-DOM124-TBAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI DOM124.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA CT,C,C Server-Cert u,u,u CN=advm.tbad.idm.lab.eng.brq.redhat.com CT,C,C CN=tbad-ADVM-CA,DC=tbad,DC=idm,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com ,,
This effectively means user is unable to setup the winsync replication with 4.1 and there is no workaround other than modifying the IPA source code.
The problem here is that load_cacert method is using incorrect detection for detecting whether a certificate belongs to CA, which only works for IPA CA certs.
master:
ipa-4-1:
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1169867
Metadata Update from @tbabej: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 4.1.3
Login to comment on this ticket.