Hi, > > Hi, > > > >>> Hi all, > >>> > >>> i've a problem with winsync between ipa 2.2 on centos 6.3 and > >>> Active > >>> directory 2008R2. > >>> > >>> I'm following this documentation to enable synchronization: > >>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html > >> There is nothing on this page about running certutil? Which link > >> talks > >> about certutil? > > Links present in the documentation talk about commands and options > > for certutil but i don't see anything about this error. > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html > > > Can one of the IPA developers explain why it is necessary to install > the > IPA CA certificate into the Windows Cert Store in order to get > Winsync/PassSync working? I don't believe it is necessary. > > For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active > Directory and IPA CA Certificates
- I trusted IPA certificate on AD. To do this, i've launched mmc and added "Certificate" component for "local computer", and then added IPA cert to Trusted root CA. Now when i run "openssl s_client -host ad-server.example.com -port 636" i can see IPA certificate as Trusted client CA. - I tested AD ldap connection: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-EXAMPLE-LOCAL ldapsearch -xLLL -H ldap://ad-server.example.com -ZZ -D "cn=ipasync,cn=users,dc=example,dc=com" -w XXXXX -s base -b "" 'objectclass=*' namingcontexts dn: namingContexts: DC=example,DC=com namingContexts: CN=Configuration,DC=example,DC=com namingContexts: CN=Schema,CN=Configuration,DC=example,DC=com namingContexts: DC=DomainDnsZones,DC=example,DC=com namingContexts: DC=ForestDnsZones,DC=example,DC=com - Now i fall on another problem, when i run: ipa-replica-manage connect --winsync --binddn cn=ipasync,cn=users,dc=example,dc=com --bindpw XXXXX --passsync XXXXX --cacert /etc/openldap/cacerts/ad-ca.crt ad-server.example.com -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/ad-ca.crt to certificate database for ipa.foo.example.local ipa: INFO: AD Suffix is: DC=example,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - System error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipa.foo.example.local] reports: Update failed! Status: [-11 - System error] Failed to start replication > > > > > I a newbie on Microsoft OSes, but I don't understand why certutil > > don't find my file. > > > > I will ask on a microsoft forum. > > > > Regards > > > >>> When i run as admin 'certutil -installcert -v -config > >>> "ipa.foo.example.local\EXAMPLE.LOCAL Domain CA" > >>> c:\Users\John\Documents\ipa-ca.crt' it returns (translated from > >>> french) : > >>> > >>> CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) > >>> CertUtil: Specified file not found > >>> > >>> someone saw this issue ? > >>> > >>> Have a nice day. > >>> > >>> Regards. > >>> > >>> Baptiste. > >>> > >>> _______________________________________________ > >>> Freeipa-users mailing list > >>> [email protected] > >>> https://www.redhat.com/mailman/listinfo/freeipa-users Have a nice day. Regards Baptiste. _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
