freeipa

Clone
Source Code
GIT

#6318 ipa-replica-manage connect --winsync: LdapErr: DSID-0C090F78, comment: Error initializing SSL/TLS, data 0, v2580'.
Closed: insufficientinfo 5 years ago by rcritten. Opened 7 years ago by pvoborni.

Closed: insufficientinfo
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1358310

Description of problem: 'Error initializing SSL/TLS' is seen when we try to do
a winsync replication agreement with a tree-root domain having standalone CA
installed

Version-Release number of selected component (if applicable):
ipa-server-4.4.0-2.1.el7.x86_64

How reproducible:Always

Steps to Reproduce:

1. Install IPA-server with --setup-dns
2. Disable dnssec validation and restart named-pkcs11.service
3. Add forwardzone for Windows domain to which winsync-agreement is to be
setup.
4. Create a tree root domain for an existing forest.
5. Now add 'Active directory Certificate Service' from Server Manager.
6. Under Standalone CA select Root CA

(Note: Enterprise CA is grayed out since there is already one installed in the
forest root domain)

7. Copy file /etc/ipa/ca.crt on the AD server as IPAcert.cer
8. Copy IPAcert.cer to Red Hat Directory Password Synchronization directory.
9.  certutil -d . -N
10. certutil -d . -A -n "IPA CA" -t CT,, -a -i IPAcert.cer
11. Restart AD
12. Copy the Adcert.cer file in /etc/dirsrv/<instance-name>
13. certutil -d . -A -i ADcert.cer -n "AD Cert" -t "CT,C,C" -a
14. Ensure certificate is seen in 'certutil -d . -L'
15. /etc/openldap/ldap.conf add TLS_CACERTDIR /etc/dirsrv/slapd-<instancename>
16. Try to create replication agreement using the below command.

ipa-replica-manage connect --winsync --passsync=password
--cacert=/etc/dirsrv/slapd-TESTRELM.TEST/ADcert.cer win3.test.qa --binddn
"cn=Administrator,cn=Users,dc=test,dc=qa" --bindpw ***** -v -p *****


Actual results:

[root@server slapd-TESTRELM-TEST]# ipa-replica-manage connect --winsync
--passsync=**** --cacert=/etc/dirsrv/slapd-TESTRELM-TEST/ADcert.cer
win3.test.qa --binddn "cn=Administrator,cn=Users,dc=test,dc=qa" --bindpw ****
-v -p *****
Added CA certificate /etc/dirsrv/slapd-TESTRELM-TEST/ADcert.cer to certificate
database for server.testrelm.test
ipa: INFO: Failed to connect to AD server win3.test.qa
ipa: INFO: The error was: {'info': '00000000: LdapErr: DSID-0C090F78, comment:
Error initializing SSL/TLS, data 0, v2580', 'desc': 'Server is unavailable'}
Failed to setup winsync replication


Expected results: The winsync agreement should be setup if its supported.

Additional info:
1. Currently we can establish winsync replication agreement only with forest
domain having enterprise root CA.

2. When we try to establish winsync replication agreement with tree root domain
in which only Standalone(RootCA/Subordinate CA) is allowed to be created, the
winsync agreement doesn't work

3. Was trying to execute the scenario to ensure that we can actually add
external trust to tree root domain and then run winsync-migrate.

Note: https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pass-sy
nc.html has a TIP given:

Install the Microsoft Certificate System in Enterprise Root Mode. Active
Directory will then automatically enroll to retrieve its SSL server
certificate.

So does this mean we only allow winsync agreement with Enterprise Root CA mode?

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog
7 years ago

Metadata Update from @rcritten:
- Issue close_status updated to: insufficientinfo
- Issue status updated to: Closed (was: Open)
5 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
Winsync
None
None
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1358310
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.