Red Hat Bugzilla – Bug 1169867
Winsync: Setup is broken due to incorrect import of certificate
Last modified: 2015-03-05 05:18:43 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/4779 When setting up winsync replication, DS needs to trust AD CA: {{{ [tbabej@vm-124 labtool]$ sudo certutil -d /etc/dirsrv/slapd-DOM124-TBAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI DOM124.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA CT,C,C Server-Cert u,u,u CN=advm.tbad.idm.lab.eng.brq.redhat.com CT,C,C CN=tbad-ADVM-CA,DC=tbad,DC=idm,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com CT,C,C }}} Note the flags in the last certificate. However, when setting up winsync, it blows up due to TLS error (Peer's issuer not recognized). {{{ [tbabej@vm-124 labtool]$ sudo ipa-replica-manage connect -p blablabla --winsync --binddn cn=Administrator,cn=Users,dc=tbad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com --bindpw Secret123456 --passsync Secret123456 --cacert /home/tbabej/a d_ca_cert.cer advm.tbad.idm.lab.eng.brq.redhat.com -v -f Added CA certificate /home/tbabej/ad_ca_cert.cer to certificate database for vm-124.dom124.tbad.idm.lab.eng.brq.redhat.com ipa: INFO: AD Suffix is: DC=tbad,DC=idm,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=dom124,dc=tbad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [vm-124.dom124.tbad.idm.lab.eng.brq.redhat.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] Failed to start replication }}} The culprit here is that winsync setup tries to import the CA cert and sets wrong flags: {{{ [tbabej@vm-124 labtool]$ sudo certutil -d /etc/dirsrv/slapd-DOM124-TBAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI DOM124.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA CT,C,C Server-Cert u,u,u CN=advm.tbad.idm.lab.eng.brq.redhat.com CT,C,C CN=tbad-ADVM-CA,DC=tbad,DC=idm,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com ,, }}} This effectively means user is unable to setup the winsync replication with 4.1 and there is no workaround other than modifying the IPA source code.
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/faec4ef9de431a1b72423be8ce6cea28a7221531 ipa-4-1: https://fedorahosted.org/freeipa/changeset/db4ac4774523c1d41a606b1c0297e9eeae13ebd6
I was able to reproduce this on ipa-server-4.1.0-10.el7.x86_64 [root@rhel7-1 ~]# ipa-replica-manage connect --winsync --passsync=password --cacert=/etc/openldap/certs/adcs3-ca.cer -p Secret123 --binddn="cn=Administrator,cn=Users,dc=adroot3,dc=example,dc=com" --bindpw=Secret123 -v -f adcs3.adroot3.example.com Added CA certificate /etc/openldap/certs/adcs3-ca.cer to certificate database for rhel7-1.ipa1.example.com ipa: INFO: AD Suffix is: DC=adroot3,DC=example,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipa1,dc=example,dc=com ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [rhel7-1.ipa1.example.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] Failed to start replication [root@rhel7-1 ~]# certutil -L -d /etc/dirsrv/slapd-IPA1-EXAMPLE-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u IPA1.EXAMPLE.COM IPA CA CT,C,C CN=adroot3-ADCS3-CA,DC=adroot3,DC=example,DC=com ,,
Verified. Version :: ipa-server-4.1.0-16.el7.x86_64 Results :: [root@rhel7-2 ~]# ipa-replica-manage connect --winsync --passsync=password \ > --cacert=/etc/openldap/certs/adcs3-ca.cer -p Secret123 \ > --binddn="cn=Administrator,cn=Users,dc=adroot3,dc=example,dc=com" \ > --bindpw=Secret123 -v -f adcs3.adroot3.example.com Added CA certificate /etc/openldap/certs/adcs3-ca.cer to certificate database for rhel7-2.ipa2.example.com ipa: INFO: AD Suffix is: DC=adroot3,DC=example,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipa2,dc=example,dc=com Adding Windows PassSync system account ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update succeeded Connected 'rhel7-2.ipa2.example.com' to 'adcs3.adroot3.example.com' [root@rhel7-2 ~]# certutil -L -d /etc/dirsrv/slapd-IPA2-EXAMPLE-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI IPA2.EXAMPLE.COM IPA CA CT,C,C Server-Cert u,u,u CN=adroot3-ADCS3-CA,DC=adroot3,DC=example,DC=com C,,
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html