Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1169867 - Winsync: Setup is broken due to incorrect import of certificate
Winsync: Setup is broken due to incorrect import of certificate
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.1
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
:
Depends On:
Blocks: 1168850
  Show dependency treegraph
 
Reported: 2014-12-02 10:10 EST by Jan Cholasta
Modified: 2015-03-05 05:18 EST (History)
4 users (show)

See Also:
Fixed In Version: ipa-4.1.0-11.el7
Doc Type: Known Issue
Doc Text:
Need to be updated for inclusion in Beta release notes.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-05 05:18:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 09:50:39 EST

  None (edit)
Description Jan Cholasta 2014-12-02 10:10:38 EST
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4779

When setting up winsync replication, DS needs to trust AD CA:

{{{

[tbabej@vm-124 labtool]$ sudo certutil -d /etc/dirsrv/slapd-DOM124-TBAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -L                                                                                                                                       

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

DOM124.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA                CT,C,C
Server-Cert                                                  u,u,u
CN=advm.tbad.idm.lab.eng.brq.redhat.com                      CT,C,C
CN=tbad-ADVM-CA,DC=tbad,DC=idm,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com CT,C,C

}}}

Note the flags in the last certificate.

However, when setting up winsync, it blows up due to TLS error (Peer's issuer not recognized).

{{{

[tbabej@vm-124 labtool]$ sudo ipa-replica-manage connect -p blablabla --winsync --binddn cn=Administrator,cn=Users,dc=tbad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com --bindpw Secret123456 --passsync Secret123456 --cacert /home/tbabej/a
d_ca_cert.cer advm.tbad.idm.lab.eng.brq.redhat.com -v -f
Added CA certificate /home/tbabej/ad_ca_cert.cer to certificate database for vm-124.dom124.tbad.idm.lab.eng.brq.redhat.com
ipa: INFO: AD Suffix is: DC=tbad,DC=idm,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=dom124,dc=tbad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: -11  - LDAP error: Connect error: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.

[vm-124.dom124.tbad.idm.lab.eng.brq.redhat.com] reports: Update failed! Status: [-11  - LDAP error: Connect error]

Failed to start replication

}}}

The culprit here is that winsync setup tries to import the CA cert and sets wrong flags:

{{{

[tbabej@vm-124 labtool]$ sudo certutil -d /etc/dirsrv/slapd-DOM124-TBAD-IDM-LAB-ENG-BRQ-REDHAT-COM/ -L                                                                                                                                       

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

DOM124.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA                CT,C,C
Server-Cert                                                  u,u,u
CN=advm.tbad.idm.lab.eng.brq.redhat.com                      CT,C,C
CN=tbad-ADVM-CA,DC=tbad,DC=idm,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com ,, 

}}}

This effectively means user is unable to setup the winsync replication with 4.1 and there is no workaround other than modifying the IPA source code.
Comment 5 Scott Poore 2015-01-23 16:15:16 EST
I was able to reproduce this on ipa-server-4.1.0-10.el7.x86_64

[root@rhel7-1 ~]# ipa-replica-manage connect --winsync --passsync=password --cacert=/etc/openldap/certs/adcs3-ca.cer -p Secret123 --binddn="cn=Administrator,cn=Users,dc=adroot3,dc=example,dc=com" --bindpw=Secret123 -v -f adcs3.adroot3.example.com
Added CA certificate /etc/openldap/certs/adcs3-ca.cer to certificate database for rhel7-1.ipa1.example.com
ipa: INFO: AD Suffix is: DC=adroot3,DC=example,DC=com
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipa1,dc=example,dc=com
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: -11  - LDAP error: Connect error: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.

[rhel7-1.ipa1.example.com] reports: Update failed! Status: [-11  - LDAP error: Connect error]

Failed to start replication

[root@rhel7-1 ~]# certutil -L -d /etc/dirsrv/slapd-IPA1-EXAMPLE-COM/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u
IPA1.EXAMPLE.COM IPA CA                                      CT,C,C
CN=adroot3-ADCS3-CA,DC=adroot3,DC=example,DC=com             ,,
Comment 6 Scott Poore 2015-01-23 17:02:15 EST
Verified.

Version ::

ipa-server-4.1.0-16.el7.x86_64

Results ::

[root@rhel7-2 ~]# ipa-replica-manage connect --winsync --passsync=password \
>   --cacert=/etc/openldap/certs/adcs3-ca.cer -p Secret123 \
>   --binddn="cn=Administrator,cn=Users,dc=adroot3,dc=example,dc=com" \
>   --bindpw=Secret123 -v -f adcs3.adroot3.example.com
Added CA certificate /etc/openldap/certs/adcs3-ca.cer to certificate database for rhel7-2.ipa2.example.com
ipa: INFO: AD Suffix is: DC=adroot3,DC=example,DC=com
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipa2,dc=example,dc=com
Adding Windows PassSync system account
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.

Update succeeded

Connected 'rhel7-2.ipa2.example.com' to 'adcs3.adroot3.example.com'

[root@rhel7-2 ~]# certutil -L -d /etc/dirsrv/slapd-IPA2-EXAMPLE-COM/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

IPA2.EXAMPLE.COM IPA CA                                      CT,C,C
Server-Cert                                                  u,u,u
CN=adroot3-ADCS3-CA,DC=adroot3,DC=example,DC=com             C,,
Comment 8 errata-xmlrpc 2015-03-05 05:18:43 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.