Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): ipa-server-2.1.3-9.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Create a self-signed cert # mkdir /root/kashyap # certutil -N -d . # certutil -S -n "self-signed-ca certificate" -s "cn=self-signed-CAcert" -x -t "CT,," -m 1000 -v 120 -d . # certutil -L -d . -n "self-signed-ca certificate" -a > test-ca.crt 2. perform winsync operation against AD using the above CA cert. ipa-replica-manage connect --winsync --passsync=password --cacert=/root/kashyap/test-ca.crt AD.com --binddn "cn=Administrator,cn=Users,dc=AD,dc=com" --bindpw Secret123 -v -p Secret123 Actual results: winsync operation is successful and users are synced. Expected results: Expected to fail, since the ca cert is not of the Windows server, AD.com in this case. Additional info: [root@decepticons ~]# openssl x509 -text -in kashyap/test-ca.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1000 (0x3e8) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=self-signed-CAcert Validity Not Before: Nov 18 13:38:05 2011 GMT Not After : Nov 18 13:38:05 2021 GMT Subject: CN=self-signed-CAcert Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:ba:68:b8:c0:5f:17:2d:8b:c8:ed:18:10:d0:60: 4f:94:b1:53:de:27:87:4f:b3:cf:0a:e5:24:e6:09: ee:98:7c:ae:d0:5a:53:45:e5:15:07:32:54:36:75: 0c:ed:05:0c:32:1e:68:e8:ef:1b:c2:95:2a:b8:66: 20:94:b2:a3:3d:59:29:0c:54:ce:f2:05:5d:48:21: 09:78:ea:d5:82:53:e0:4c:8b:7d:74:02:ce:08:7f: 62:80:2c:bd:13:cf:6f:3c:88:c7:a2:fd:64:45:83: 49:93:7a:c9:9b:8d:5d:e6:7a:44:fc:7c:4b:b9:cb: 65:a5:27:4e:55:40:e7:b0:a9 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 1d:8d:22:86:5d:ba:00:4b:0e:28:36:5b:42:74:d5:eb:2a:42: e2:39:33:c6:3a:dc:91:77:83:34:25:9c:6c:9d:10:9b:85:f6: 61:a9:f1:d7:05:e9:0e:61:ea:0b:79:8a:e7:9d:96:5e:3b:9c: 11:ce:cb:01:8f:3b:36:51:96:56:f8:0d:a0:e5:fb:59:07:f0: 26:c8:47:f5:2c:24:71:80:79:09:9e:02:f0:53:e2:c5:f2:c7: c3:0a:a7:29:9e:8b:3c:26:72:ea:8a:12:00:f3:bf:18:d2:01: d1:fc:da:b8:4c:21:7c:5a:bd:d7:50:ad:f7:64:59:a4:77:3b: 7f:07 -----BEGIN CERTIFICATE----- MIIBrzCCARigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwHTEbMBkGA1UEAxMSc2Vs Zi1zaWduZWQtQ0FjZXJ0MB4XDTExMTExODEzMzgwNVoXDTIxMTExODEzMzgwNVow HTEbMBkGA1UEAxMSc2VsZi1zaWduZWQtQ0FjZXJ0MIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQC6aLjAXxcti8jtGBDQYE+UsVPeJ4dPs88K5STmCe6YfK7QWlNF 5RUHMlQ2dQztBQwyHmjo7xvClSq4ZiCUsqM9WSkMVM7yBV1IIQl46tWCU+BMi310 As4If2KALL0Tz288iMei/WRFg0mTesmbjV3mekT8fEu5y2WlJ05VQOewqQIDAQAB MA0GCSqGSIb3DQEBBQUAA4GBAB2NIoZdugBLDig2W0J01esqQuI5M8Y63JF3gzQl nGydEJuF9mGp8dcF6Q5h6gt5iuedll47nBHOywGPOzZRllb4DaDl+1kH8CbIR/Us JHGAeQmeAvBT4sXyx8MKpymeizwmcuqKEgDzvxjSAdH82rhMIXxavddQrfdkWaR3 O38H -----END CERTIFICATE----- [root@decepticons ~]# [root@decepticons ~]# ipa user-find shanks-ad --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- [root@decepticons ~]# [root@decepticons ~]# ipa-replica-manage connect --winsync --passsync=password --cacert=/root/kashyap/test-ca.crt dhcp201-112.englab.pnq.redhat.com --binddn "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw Secret123 -v -p Secret123 Added CA certificate /root/kashyap/test-ca.crt to certificate database for decepticons.lab.eng.pnq.redhat.com INFO:root:AD Suffix is: DC=englab,DC=pnq,DC=redhat,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Windows PassSync entry exists, not resetting password INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 20111118134533Z: end: 20111118134533Z INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update succeeded Connected 'decepticons.lab.eng.pnq.redhat.com' to 'dhcp201-112.englab.pnq.redhat.com' [root@decepticons ~]# [root@decepticons slapd-LAB-ENG-PNQ-REDHAT-COM]# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI LAB.ENG.PNQ.REDHAT.COM IPA CA CT,,C CN=self-signed-CAcert CT,,C Server-Cert u,u,u [root@decepticons slapd-LAB-ENG-PNQ-REDHAT-COM]# [root@decepticons ~]# ipa user-find shanks-ad -------------- 1 user matched -------------- User login: shanks-ad First name: shanks-ad Last name: shanks-ad Home directory: /home/shanks-ad Login shell: /bin/sh UID: 1814400109 GID: 1814400109 Account disabled: False Keytab: False Password: False ---------------------------- Number of entries returned 1 ---------------------------- [root@decepticons ~]# [root@decepticons ~]# ipa-replica-manage list decepticons.lab.eng.pnq.redhat.com: master dhcp201-112.englab.pnq.redhat.com: winsync [root@decepticons ~]#
[root@decepticons slapd-LAB-ENG-PNQ-REDHAT-COM]# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI LAB.ENG.PNQ.REDHAT.COM IPA CA CT,,C CN=self-signed-CAcert CT,,C Server-Cert u,u,u [root@decepticons slapd-LAB-ENG-PNQ-REDHAT-COM]# [root@decepticons ~]# ipa-replica-manage connect --winsync --passsync=password --cacert=/root/kashyap/test-ca.crt dhcp201-112.englab.pnq.redhat.com --binddn "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw Secret123 -v -p Secret123 Added CA certificate /root/kashyap/test-ca.crt to certificate database for decepticons.lab.eng.pnq.redhat.com INFO:root:AD Suffix is: DC=englab,DC=pnq,DC=redhat,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Windows PassSync entry exists, not resetting password INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 20111118175748Z: end: 20111118175748Z INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update succeeded Connected 'decepticons.lab.eng.pnq.redhat.com' to 'dhcp201-112.englab.pnq.redhat.com' [root@decepticons ~]# [root@decepticons slapd-LAB-ENG-PNQ-REDHAT-COM]# ldapsearch -x -h decepticons.lab.eng.pnq.redhat.com -p 389 -D "cn=Directory Manager" -w Secret123 -b "cn=mapping tree,cn=config" # extended LDIF # # LDAPv3 # base <cn=mapping tree,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # mapping tree, config dn: cn=mapping tree,cn=config objectClass: top objectClass: extensibleObject cn: mapping tree # dc\3Dlab\2Cdc\3Deng\2Cdc\3Dpnq\2Cdc\3Dredhat\2Cdc\3Dcom, mapping tree, conf ig dn: cn=dc\3Dlab\2Cdc\3Deng\2Cdc\3Dpnq\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree ,cn=config objectClass: top objectClass: extensibleObject objectClass: nsMappingTree cn: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com cn: "dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" nsslapd-state: backend nsslapd-backend: userRoot nsslapd-referral: ldap://sideswipe.lab.eng.pnq.redhat.com:389/dc%3Dlab%2Cdc%3D eng%2Cdc%3Dpnq%2Cdc%3Dredhat%2Cdc%3Dcom # replica, dc\3Dlab\2Cdc\3Deng\2Cdc\3Dpnq\2Cdc\3Dredhat\2Cdc\3Dcom, mapping t ree, config dn: cn=replica,cn=dc\3Dlab\2Cdc\3Deng\2Cdc\3Dpnq\2Cdc\3Dredhat\2Cdc\3Dcom,cn=m apping tree,cn=config cn: replica nsDS5Flags: 1 objectClass: top objectClass: nsds5replica objectClass: extensibleobject nsDS5ReplicaType: 3 nsDS5ReplicaRoot: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com nsds5ReplicaLegacyConsumer: off nsDS5ReplicaId: 3 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDN: krbprincipalname=ldap/sideswipe.lab.eng.pnq.redhat.com@LAB .ENG.PNQ.REDHAT.COM,cn=services,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc =com nsState:: AwAAAAAAAAC5nMZOAAAAAAAAAAAAAAAAFwAAAAAAAAAEAAAAAAAAAA== nsDS5ReplicaName: f46ae881-112311e1-bdfaa144-3581a2fd nsds5ReplicaChangeCount: 47563 nsds5replicareapactive: 0 # meTodhcp201-112.englab.pnq.redhat.com, replica, dc\3Dlab\2Cdc\3Deng\2Cdc\3D pnq\2Cdc\3Dredhat\2Cdc\3Dcom, mapping tree, config dn: cn=meTodhcp201-112.englab.pnq.redhat.com,cn=replica,cn=dc\3Dlab\2Cdc\3Deng \2Cdc\3Dpnq\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config nsds7WindowsReplicaSubtree: cn=Users,DC=englab,DC=pnq,DC=redhat,DC=com nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=red hat,dc=com nsDS5ReplicaUpdateSchedule: 0000-2359 0123456 cn: meTodhcp201-112.englab.pnq.redhat.com nsds7NewWinGroupSyncEnabled: false objectClass: nsDSWindowsReplicationAgreement objectClass: top nsDS5ReplicaTransportInfo: TLS description: me to dhcp201-112.englab.pnq.redhat.com nsDS5ReplicaRoot: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com nsDS5ReplicaHost: dhcp201-112.englab.pnq.redhat.com nsds5replicaTimeout: 120 nsDS5ReplicaBindDN: cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=co m nsds7NewWinUserSyncEnabled: true nsDS5ReplicaPort: 389 nsds7WindowsDomain: lab.eng.pnq.redhat.com nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof entryusn krbl astsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicaBindMethod: simple nsDS5ReplicaCredentials: {DES}MdU5bxh5HKD/KVqD0jfUqg== nsds7DirsyncCookie:: TVNEUwMAAABOSyWnG6bMAQAAAAAAAAAAKAAAAImmAAAAAAAAAAAAAAAAA ACJpgAAAAAAAKKzNQJqRVJFhXBlBt3uXvwBAAAAAAAAAAEAAAAAAAAAorM1AmpFUkWFcGUG3e5e/I mmAAAAAAAA nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20111118175817Z nsds5replicaLastUpdateEnd: 20111118175817Z nsds5replicaChangesSentSinceStartup:: MzoyLzAg nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20111118175750Z nsds5replicaLastInitEnd: 20111118175751Z nsds5replicaLastInitStatus: 0 Total update succeeded # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 4
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2129
I can't reproduce this against my AD server. I created bogus CA and tried to use that: # ipa-replica-manage connect --winsync --cacert=/tmp/test-ca.crt --binddn=cn=administrator,cn=users,dc=example,dc=com --bindpw Password1 win2003.example.com -v --passsync Password1 Added CA certificate /tmp/test-ca.crt to certificate database for rawhide.example.com ipa: INFO: Failed to connect to AD server win2003.example.com ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} Failed to setup winsync replication -8179 is "Certificate is signed by an unknown issuer" which is what I would expect.
I just tried again, works for me. Can you provide additional reproduction steps?
I was provided a machine that demonstrates this issue. This was extremely helpful. I switched to using ldapsearch -ZZ to diagnose the problem and this led me to two problems: 1. The CA cert was in /etc/openldap/cacerts. openldap automatically loads these certs which is why the AD CA was trusted even though the incorrect one was passed on the cli. 2. /etc/openldap/ldap.conf had TLS_REQCERT set to allow. This means that a bad server cert is accepted even if untrusted. I renamed ldap.conf to ldap.conf.old and confirmed that neither ldapsearch nor ipa-replica-manage work any more: # cd /etc/openldap # mv ldap.conf ldap.conf.old # ipa-replica-manage connect --winsync --passsync=password --cacert=/root/kashyap/test-ca.crt dhcp201-112.englab.pnq.redhat.com --binddn "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw Secret123 -v -p Secret123 Added CA certificate /root/kashyap/test-ca.crt to certificate database for decepticons.lab.eng.pnq.redhat.com INFO:root:Failed to connect to AD server dhcp201-112.englab.pnq.redhat.com INFO:root:The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} Failed to setup winsync replication I restored the system to its previous state.