Bug 754992
| Summary: | Winsync works with any cacert provided to --cacert option in ipa-replica-manage. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Gowrishankar Rajaiyan <grajaiya> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED NOTABUG | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | jgalipea, kchamart, mkosek, sgoveas |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-02-24 15:00:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
[root@decepticons slapd-LAB-ENG-PNQ-REDHAT-COM]# certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
LAB.ENG.PNQ.REDHAT.COM IPA CA CT,,C
CN=self-signed-CAcert CT,,C
Server-Cert u,u,u
[root@decepticons slapd-LAB-ENG-PNQ-REDHAT-COM]#
[root@decepticons ~]# ipa-replica-manage connect --winsync --passsync=password --cacert=/root/kashyap/test-ca.crt dhcp201-112.englab.pnq.redhat.com --binddn "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw Secret123 -v -p Secret123
Added CA certificate /root/kashyap/test-ca.crt to certificate database for decepticons.lab.eng.pnq.redhat.com
INFO:root:AD Suffix is: DC=englab,DC=pnq,DC=redhat,DC=com
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 20111118175748Z: end: 20111118175748Z
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
Connected 'decepticons.lab.eng.pnq.redhat.com' to 'dhcp201-112.englab.pnq.redhat.com'
[root@decepticons ~]#
[root@decepticons slapd-LAB-ENG-PNQ-REDHAT-COM]# ldapsearch -x -h decepticons.lab.eng.pnq.redhat.com -p 389 -D "cn=Directory Manager" -w Secret123 -b "cn=mapping tree,cn=config"
# extended LDIF
#
# LDAPv3
# base <cn=mapping tree,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# mapping tree, config
dn: cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
cn: mapping tree
# dc\3Dlab\2Cdc\3Deng\2Cdc\3Dpnq\2Cdc\3Dredhat\2Cdc\3Dcom, mapping tree, conf
ig
dn: cn=dc\3Dlab\2Cdc\3Deng\2Cdc\3Dpnq\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree
,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
cn: "dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com"
nsslapd-state: backend
nsslapd-backend: userRoot
nsslapd-referral: ldap://sideswipe.lab.eng.pnq.redhat.com:389/dc%3Dlab%2Cdc%3D
eng%2Cdc%3Dpnq%2Cdc%3Dredhat%2Cdc%3Dcom
# replica, dc\3Dlab\2Cdc\3Deng\2Cdc\3Dpnq\2Cdc\3Dredhat\2Cdc\3Dcom, mapping t
ree, config
dn: cn=replica,cn=dc\3Dlab\2Cdc\3Deng\2Cdc\3Dpnq\2Cdc\3Dredhat\2Cdc\3Dcom,cn=m
apping tree,cn=config
cn: replica
nsDS5Flags: 1
objectClass: top
objectClass: nsds5replica
objectClass: extensibleobject
nsDS5ReplicaType: 3
nsDS5ReplicaRoot: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
nsds5ReplicaLegacyConsumer: off
nsDS5ReplicaId: 3
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDN: krbprincipalname=ldap/sideswipe.lab.eng.pnq.redhat.com@LAB
.ENG.PNQ.REDHAT.COM,cn=services,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc
=com
nsState:: AwAAAAAAAAC5nMZOAAAAAAAAAAAAAAAAFwAAAAAAAAAEAAAAAAAAAA==
nsDS5ReplicaName: f46ae881-112311e1-bdfaa144-3581a2fd
nsds5ReplicaChangeCount: 47563
nsds5replicareapactive: 0
# meTodhcp201-112.englab.pnq.redhat.com, replica, dc\3Dlab\2Cdc\3Deng\2Cdc\3D
pnq\2Cdc\3Dredhat\2Cdc\3Dcom, mapping tree, config
dn: cn=meTodhcp201-112.englab.pnq.redhat.com,cn=replica,cn=dc\3Dlab\2Cdc\3Deng
\2Cdc\3Dpnq\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config
nsds7WindowsReplicaSubtree: cn=Users,DC=englab,DC=pnq,DC=redhat,DC=com
nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=red
hat,dc=com
nsDS5ReplicaUpdateSchedule: 0000-2359 0123456
cn: meTodhcp201-112.englab.pnq.redhat.com
nsds7NewWinGroupSyncEnabled: false
objectClass: nsDSWindowsReplicationAgreement
objectClass: top
nsDS5ReplicaTransportInfo: TLS
description: me to dhcp201-112.englab.pnq.redhat.com
nsDS5ReplicaRoot: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
nsDS5ReplicaHost: dhcp201-112.englab.pnq.redhat.com
nsds5replicaTimeout: 120
nsDS5ReplicaBindDN: cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=co
m
nsds7NewWinUserSyncEnabled: true
nsDS5ReplicaPort: 389
nsds7WindowsDomain: lab.eng.pnq.redhat.com
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof entryusn krbl
astsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicaBindMethod: simple
nsDS5ReplicaCredentials: {DES}MdU5bxh5HKD/KVqD0jfUqg==
nsds7DirsyncCookie:: TVNEUwMAAABOSyWnG6bMAQAAAAAAAAAAKAAAAImmAAAAAAAAAAAAAAAAA
ACJpgAAAAAAAKKzNQJqRVJFhXBlBt3uXvwBAAAAAAAAAAEAAAAAAAAAorM1AmpFUkWFcGUG3e5e/I
mmAAAAAAAA
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20111118175817Z
nsds5replicaLastUpdateEnd: 20111118175817Z
nsds5replicaChangesSentSinceStartup:: MzoyLzAg
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd
ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20111118175750Z
nsds5replicaLastInitEnd: 20111118175751Z
nsds5replicaLastInitStatus: 0 Total update succeeded
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2129 I can't reproduce this against my AD server.
I created bogus CA and tried to use that:
# ipa-replica-manage connect --winsync --cacert=/tmp/test-ca.crt --binddn=cn=administrator,cn=users,dc=example,dc=com --bindpw Password1 win2003.example.com -v --passsync Password1
Added CA certificate /tmp/test-ca.crt to certificate database for rawhide.example.com
ipa: INFO: Failed to connect to AD server win2003.example.com
ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'}
Failed to setup winsync replication
-8179 is "Certificate is signed by an unknown issuer" which is what I would expect.
I just tried again, works for me. Can you provide additional reproduction steps? I was provided a machine that demonstrates this issue. This was extremely helpful.
I switched to using ldapsearch -ZZ to diagnose the problem and this led me to two problems:
1. The CA cert was in /etc/openldap/cacerts. openldap automatically loads these certs which is why the AD CA was trusted even though the incorrect one was passed on the cli.
2. /etc/openldap/ldap.conf had TLS_REQCERT set to allow. This means that a bad server cert is accepted even if untrusted.
I renamed ldap.conf to ldap.conf.old and confirmed that neither ldapsearch nor ipa-replica-manage work any more:
# cd /etc/openldap
# mv ldap.conf ldap.conf.old
# ipa-replica-manage connect --winsync --passsync=password --cacert=/root/kashyap/test-ca.crt dhcp201-112.englab.pnq.redhat.com --binddn "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw Secret123 -v -p Secret123
Added CA certificate /root/kashyap/test-ca.crt to certificate database for decepticons.lab.eng.pnq.redhat.com
INFO:root:Failed to connect to AD server dhcp201-112.englab.pnq.redhat.com
INFO:root:The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'}
Failed to setup winsync replication
I restored the system to its previous state.
|
Description of problem: Version-Release number of selected component (if applicable): ipa-server-2.1.3-9.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Create a self-signed cert # mkdir /root/kashyap # certutil -N -d . # certutil -S -n "self-signed-ca certificate" -s "cn=self-signed-CAcert" -x -t "CT,," -m 1000 -v 120 -d . # certutil -L -d . -n "self-signed-ca certificate" -a > test-ca.crt 2. perform winsync operation against AD using the above CA cert. ipa-replica-manage connect --winsync --passsync=password --cacert=/root/kashyap/test-ca.crt AD.com --binddn "cn=Administrator,cn=Users,dc=AD,dc=com" --bindpw Secret123 -v -p Secret123 Actual results: winsync operation is successful and users are synced. Expected results: Expected to fail, since the ca cert is not of the Windows server, AD.com in this case. Additional info: [root@decepticons ~]# openssl x509 -text -in kashyap/test-ca.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1000 (0x3e8) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=self-signed-CAcert Validity Not Before: Nov 18 13:38:05 2011 GMT Not After : Nov 18 13:38:05 2021 GMT Subject: CN=self-signed-CAcert Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:ba:68:b8:c0:5f:17:2d:8b:c8:ed:18:10:d0:60: 4f:94:b1:53:de:27:87:4f:b3:cf:0a:e5:24:e6:09: ee:98:7c:ae:d0:5a:53:45:e5:15:07:32:54:36:75: 0c:ed:05:0c:32:1e:68:e8:ef:1b:c2:95:2a:b8:66: 20:94:b2:a3:3d:59:29:0c:54:ce:f2:05:5d:48:21: 09:78:ea:d5:82:53:e0:4c:8b:7d:74:02:ce:08:7f: 62:80:2c:bd:13:cf:6f:3c:88:c7:a2:fd:64:45:83: 49:93:7a:c9:9b:8d:5d:e6:7a:44:fc:7c:4b:b9:cb: 65:a5:27:4e:55:40:e7:b0:a9 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 1d:8d:22:86:5d:ba:00:4b:0e:28:36:5b:42:74:d5:eb:2a:42: e2:39:33:c6:3a:dc:91:77:83:34:25:9c:6c:9d:10:9b:85:f6: 61:a9:f1:d7:05:e9:0e:61:ea:0b:79:8a:e7:9d:96:5e:3b:9c: 11:ce:cb:01:8f:3b:36:51:96:56:f8:0d:a0:e5:fb:59:07:f0: 26:c8:47:f5:2c:24:71:80:79:09:9e:02:f0:53:e2:c5:f2:c7: c3:0a:a7:29:9e:8b:3c:26:72:ea:8a:12:00:f3:bf:18:d2:01: d1:fc:da:b8:4c:21:7c:5a:bd:d7:50:ad:f7:64:59:a4:77:3b: 7f:07 -----BEGIN CERTIFICATE----- MIIBrzCCARigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwHTEbMBkGA1UEAxMSc2Vs Zi1zaWduZWQtQ0FjZXJ0MB4XDTExMTExODEzMzgwNVoXDTIxMTExODEzMzgwNVow HTEbMBkGA1UEAxMSc2VsZi1zaWduZWQtQ0FjZXJ0MIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQC6aLjAXxcti8jtGBDQYE+UsVPeJ4dPs88K5STmCe6YfK7QWlNF 5RUHMlQ2dQztBQwyHmjo7xvClSq4ZiCUsqM9WSkMVM7yBV1IIQl46tWCU+BMi310 As4If2KALL0Tz288iMei/WRFg0mTesmbjV3mekT8fEu5y2WlJ05VQOewqQIDAQAB MA0GCSqGSIb3DQEBBQUAA4GBAB2NIoZdugBLDig2W0J01esqQuI5M8Y63JF3gzQl nGydEJuF9mGp8dcF6Q5h6gt5iuedll47nBHOywGPOzZRllb4DaDl+1kH8CbIR/Us JHGAeQmeAvBT4sXyx8MKpymeizwmcuqKEgDzvxjSAdH82rhMIXxavddQrfdkWaR3 O38H -----END CERTIFICATE----- [root@decepticons ~]# [root@decepticons ~]# ipa user-find shanks-ad --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- [root@decepticons ~]# [root@decepticons ~]# ipa-replica-manage connect --winsync --passsync=password --cacert=/root/kashyap/test-ca.crt dhcp201-112.englab.pnq.redhat.com --binddn "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw Secret123 -v -p Secret123 Added CA certificate /root/kashyap/test-ca.crt to certificate database for decepticons.lab.eng.pnq.redhat.com INFO:root:AD Suffix is: DC=englab,DC=pnq,DC=redhat,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Windows PassSync entry exists, not resetting password INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 20111118134533Z: end: 20111118134533Z INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update succeeded Connected 'decepticons.lab.eng.pnq.redhat.com' to 'dhcp201-112.englab.pnq.redhat.com' [root@decepticons ~]# [root@decepticons slapd-LAB-ENG-PNQ-REDHAT-COM]# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI LAB.ENG.PNQ.REDHAT.COM IPA CA CT,,C CN=self-signed-CAcert CT,,C Server-Cert u,u,u [root@decepticons slapd-LAB-ENG-PNQ-REDHAT-COM]# [root@decepticons ~]# ipa user-find shanks-ad -------------- 1 user matched -------------- User login: shanks-ad First name: shanks-ad Last name: shanks-ad Home directory: /home/shanks-ad Login shell: /bin/sh UID: 1814400109 GID: 1814400109 Account disabled: False Keytab: False Password: False ---------------------------- Number of entries returned 1 ---------------------------- [root@decepticons ~]# [root@decepticons ~]# ipa-replica-manage list decepticons.lab.eng.pnq.redhat.com: master dhcp201-112.englab.pnq.redhat.com: winsync [root@decepticons ~]#