Certificate: Data: Version: 3 (0x2) Serial Number: 12:fb:5c:b4:00:00:00:00:00:02 Signature Algorithm: sha1WithRSAEncryption Issuer: DC=nz, DC=ac, DC=ipa, CN=dc0001 Validity Not Before: Mar 29 00:54:45 2011 GMT Not After : Mar 28 00:54:45 2012 GMT Subject: CN=dc0001.ipa.ac.nz Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:9b:68:bb:1f:8d:62:c4:7c:08:65:f2:ec:c0:32: 0a:99:17:b6:02:1a:02:90:e1:d7:64:38:de:ef:f0: 58:b0:bb:06:6a:6f:82:ed:c1:8c:9e:ae:44:91:6e: 8e:3c:6f:5b:04:44:92:40:cd:af:3e:a2:2f:c8:ad: 1f:7a:7f:d7:53:25:2b:f9:b7:c7:ac:c4:cc:3d:92: 05:47:a7:96:25:e9:d5:78:a1:4d:e1:a0:65:1d:66: 03:d3:e1:11:f6:d5:cc:c5:e5:73:e3:e3:98:ee:c1: 23:c2:32:5c:4f:5f:66:ef:98:61:4b:e0:2a:3a:e6: 55:67:08:ed:2a:ae:6b:db:ab Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Key Encipherment S/MIME Capabilities: 050...*.H.. ......0...*.H.. ......0...+....0 ..*.H.. .. X509v3 Subject Key Identifier: 7F:03:DF:87:27:A7:F2:59:C7:17:E8:CF:19:01:51:1B:FA:EF:D7:D3 1.3.6.1.4.1.311.20.2: . .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r X509v3 Authority Key Identifier: keyid:CC:D6:15:2E:3F:81:70:17:C5:4B:8D:F9:8E:21:9E:5D:C5:11:F9:DB
X509v3 CRL Distribution Points: Full Name: URI:ldap:///CN=dc0001,CN=dc0001,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.crl Authority Information Access: CA Issuers - URI:ldap:///CN=dc0001,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?cACertificate?base?objectClass=certificationAuthority CA Issuers - URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.ipa.ac.nz_dc0001.crt X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Alternative Name: othername:<unsupported>, DNS:dc0001.ipa.ac.nz Signature Algorithm: sha1WithRSAEncryption 6e:11:ea:99:64:72:59:56:71:e8:6d:ab:cd:ee:93:be:cd:d4: 94:d4:cb:b4:d1:e1:ad:d3:02:a6:1c:15:db:e6:13:6c:74:07: 21:a0:1d:65:81:de:27:0d:8b:65:9c:5b:e2:2f:8e:67:fb:3f: 63:7c:a4:a3:ab:15:3d:57:fc:b8:2c:5c:e2:75:fd:71:68:73: 1d:14:49:cc:a8:5c:fb:62:5d:fd:61:b3:57:6f:18:d7:46:b7: 5c:7d:6d:5a:ee:5c:8c:66:b6:45:cb:62:8d:72:20:40:b1:cb: fa:e8:f5:06:44:19:d1:fc:f3:b7:a0:86:52:39:20:6b:4f:20: c5:8f:7f:5c:0d:2f:a3:a1:d7:4f:c7:5e:36:1a:d4:22:33:ea: 59:31:eb:9e:6a:31:9f:8d:7a:3a:b8:dc:b2:09:4e:64:d5:17: 14:28:09:c0:b0:48:ff:38:00:4f:cd:01:e1:62:7e:82:dc:4d: d6:62:3c:54:e9:c2:ff:7d:9d:c7:b0:cf:ee:f7:6f:0a:e0:c8: ec:f0:c0:01:b2:41:56:01:22:a4:31:4d:cd:98:6b:a1:83:db: 10:de:4d:43:59:b1:d3:4c:2a:16:03:9c:91:97:98:92:23:15: 04:41:3f:9d:77:9b:fd:b2:32:0d:36:35:06:64:ff:80:6a:e8: a0:5b:12:85 -----BEGIN CERTIFICATE----- MIIFjzCCBHegAwIBAgIKEvtctAAAAAAAAjANBgkqhkiG9w0BAQUFADBOMRIwEAYK CZImiZPyLGQBGRYCbnoxEjAQBgoJkiaJk/IsZAEZFgJhYzETMBEGCgmSJomT8ixk ARkWA2lwYTEPMA0GA1UEAxMGZGMwMDAxMB4XDTExMDMyOTAwNTQ0NVoXDTEyMDMy ODAwNTQ0NVowGzEZMBcGA1UEAxMQZGMwMDAxLmlwYS5hYy5uejCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAm2i7H41ixHwIZfLswDIKmRe2AhoCkOHXZDje7/BY sLsGam+C7cGMnq5EkW6OPG9bBESSQM2vPqIvyK0fen/XUyUr+bfHrMTMPZIFR6eW JenVeKFN4aBlHWYD0+ER9tXMxeVz4+OY7sEjwjJcT19m75hhS+AqOuZVZwjtKq5r 26sCAwEAAaOCAyQwggMgMAsGA1UdDwQEAwIFoDBEBgkqhkiG9w0BCQ8ENzA1MA4G CCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcN AwcwHQYDVR0OBBYEFH8D34cnp/JZxxfozxkBURv679fTMC8GCSsGAQQBgjcUAgQi HiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAfBgNVHSMEGDAWgBTM 1hUuP4FwF8VLjfmOIZ5dxRH52zCB8wYDVR0fBIHrMIHoMIHloIHioIHfhoGtbGRh cDovLy9DTj1kYzAwMDEsQ049ZGMwMDAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWlwYSxE Qz1hYyxEQz1uej9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0 Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGLWh0dHA6Ly9kYzAwMDEuaXBhLmFj Lm56L0NlcnRFbnJvbGwvZGMwMDAxLmNybDCCAQUGCCsGAQUFBwEBBIH4MIH1MIGm BggrBgEFBQcwAoaBmWxkYXA6Ly8vQ049ZGMwMDAxLENOPUFJQSxDTj1QdWJsaWMl MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD PWlwYSxEQz1hYyxEQz1uej9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9 Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBKBggrBgEFBQcwAoY+aHR0cDovL2RjMDAw MS5pcGEuYWMubnovQ2VydEVucm9sbC9kYzAwMDEuaXBhLmFjLm56X2RjMDAwMS5j cnQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDwGA1UdEQQ1MDOgHwYJ KwYBBAGCNxkBoBIEEAdtYFw3yQ9DmIgdDBjdl92CEGRjMDAwMS5pcGEuYWMubnow DQYJKoZIhvcNAQEFBQADggEBAG4R6plkcllWcehtq83uk77N1JTUy7TR4a3TAqYc FdvmE2x0ByGgHWWB3icNi2WcW+Ivjmf7P2N8pKOrFT1X/LgsXOJ1/XFocx0UScyo XPtiXf1hs1dvGNdGt1x9bVruXIxmtkXLYo1yIECxy/ro9QZEGdH887eghlI5IGtP IMWPf1wNL6Oh10/HXjYa1CIz6lkx655qMZ+Nejq43LIJTmTVFxQoCcCwSP84AE/N AeFifoLcTdZiPFTpwv99ncewz+73bwrgyOzwwAGyQVYBIqQxTc2Ya6GD2xDeTUNZ sdNMKhYDnJGXmJIjFQRBP513m/2yMg02NQZk/4Bq6KBbEoU= -----END CERTIFICATE----- ________________________________________ From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, 30 March 2011 9:04 a.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure On 03/29/2011 02:02 PM, Steven Jones wrote: > Hi, > > My Windows person suggests because this is a self signed cert, the client > needs to be forced to trust it....? can you paste the output of openssl x509 -in /home/jonesst1/domaincert.cer -text ? > regards > > Steven > ________________________________________ > From: Rob Crittenden [rcrit...@redhat.com] > Sent: Wednesday, 30 March 2011 2:50 a.m. > To: Steven Jones > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > Steven Jones wrote: >> Got a bit further.......I was missing "--passsync" > I think you were using the V1 documentation. The "Enterprise Identity > Management Guide" is what you want off freeipa.org in the Documentation > section. > >> [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn >> cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert >> /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are >> required to create a winsync agreement >> [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn >> cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync >> Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >> Added CA certificate /home/jonesst1/domaincert.cer to certificate database >> for fed14-64-ipam001.ipa.ac.nz >> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz >> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', >> 'desc': 'Connect error'} >> unexpected error: Failed to setup winsync replication >> [root@fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz >> dc0001.ipa.ac.nz has address 192.168.101.2 >> [root@fed14-64-ipam001 samba]# >> >> But still isnt working......... > I think you have the wrong AD cert. -8179 translates to "Certificate is > signed by an unknown issuer". Can you verify that you have the AD CA > certificate? > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users