Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1358310
Description of problem: 'Error initializing SSL/TLS' is seen when we try to do a winsync replication agreement with a tree-root domain having standalone CA installed Version-Release number of selected component (if applicable): ipa-server-4.4.0-2.1.el7.x86_64 How reproducible:Always Steps to Reproduce: 1. Install IPA-server with --setup-dns 2. Disable dnssec validation and restart named-pkcs11.service 3. Add forwardzone for Windows domain to which winsync-agreement is to be setup. 4. Create a tree root domain for an existing forest. 5. Now add 'Active directory Certificate Service' from Server Manager. 6. Under Standalone CA select Root CA (Note: Enterprise CA is grayed out since there is already one installed in the forest root domain) 7. Copy file /etc/ipa/ca.crt on the AD server as IPAcert.cer 8. Copy IPAcert.cer to Red Hat Directory Password Synchronization directory. 9. certutil -d . -N 10. certutil -d . -A -n "IPA CA" -t CT,, -a -i IPAcert.cer 11. Restart AD 12. Copy the Adcert.cer file in /etc/dirsrv/<instance-name> 13. certutil -d . -A -i ADcert.cer -n "AD Cert" -t "CT,C,C" -a 14. Ensure certificate is seen in 'certutil -d . -L' 15. /etc/openldap/ldap.conf add TLS_CACERTDIR /etc/dirsrv/slapd-<instancename> 16. Try to create replication agreement using the below command. ipa-replica-manage connect --winsync --passsync=password --cacert=/etc/dirsrv/slapd-TESTRELM.TEST/ADcert.cer win3.test.qa --binddn "cn=Administrator,cn=Users,dc=test,dc=qa" --bindpw ***** -v -p ***** Actual results: [root@server slapd-TESTRELM-TEST]# ipa-replica-manage connect --winsync --passsync=**** --cacert=/etc/dirsrv/slapd-TESTRELM-TEST/ADcert.cer win3.test.qa --binddn "cn=Administrator,cn=Users,dc=test,dc=qa" --bindpw **** -v -p ***** Added CA certificate /etc/dirsrv/slapd-TESTRELM-TEST/ADcert.cer to certificate database for server.testrelm.test ipa: INFO: Failed to connect to AD server win3.test.qa ipa: INFO: The error was: {'info': '00000000: LdapErr: DSID-0C090F78, comment: Error initializing SSL/TLS, data 0, v2580', 'desc': 'Server is unavailable'} Failed to setup winsync replication Expected results: The winsync agreement should be setup if its supported. Additional info: 1. Currently we can establish winsync replication agreement only with forest domain having enterprise root CA. 2. When we try to establish winsync replication agreement with tree root domain in which only Standalone(RootCA/Subordinate CA) is allowed to be created, the winsync agreement doesn't work 3. Was trying to execute the scenario to ensure that we can actually add external trust to tree root domain and then run winsync-migrate. Note: https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pass-sy nc.html has a TIP given: Install the Microsoft Certificate System in Enterprise Root Mode. Active Directory will then automatically enroll to retrieve its SSL server certificate. So does this mean we only allow winsync agreement with Enterprise Root CA mode?
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Metadata Update from @rcritten: - Issue close_status updated to: insufficientinfo - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.