Rhds8.0 with windows 2003 ADS PassSync Error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

 I am trying to integrate RHDS 8.0 with windows 2003 ADS  on RHEL5 as per
the RHEL  documentation for user/group and password sync from windows ADS.

 I am using windows sync and Passsync . But i am facing problem with the
certificate creation.

*##########################################################################
Followed the below step in RHDS box runing on rhel5 to setup ssl.*
############################## #############################################

   - vi pin.txt

       secretpw


   - Create a noise file for the encryption

 vi noise.txt
 dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk


   - Create the key and certificate databases database

 certutil -N -d . -f pin.txt   (results, makes 3 files with db extension)


   - Generate the encryption key

 certutil -G -d . -z noise.txt -f pin.txt


   - Generate the self-signed CA certificate

 certutil -S -n "CA Certificate" -s "cn=CAcert" -x -t "CT,,"
 -m 1000 -v 9999 -d . -z noise.txt -f pin.txt

(generates CA certificate and puts into db stores, can be verified with:


  certutil ?L ?d . ?n    "Certificate Name", where Certificate Name is
CA Certificate)


   - Generate the Directory Server Client Certificate

 certutil -S -n "server-cert" -s
"cn=ldapproxy.example.com,cn=Directory Server" -c "CA Certificate" -t
"u,u,u" -m 1001 -v 9999 -d .
 -z noise.txt -f pin.txt


   - Convert to pkcs12 format (note these files will be used within the AD
   system, and the prompted password for the commands below will need to match
   password in pin.txt file)

 pk12util -d . -o cacert.pk12 -n "CA Certificate"
 pk12util -d . -o dscert.pk12 -n "server-cert"

###############################################################################################################################



 *After that when i executed ldapsearch -x -ZZ it showing all the
entries properly on rhds rhel  box,
 so its indicates ssl was perfectly configured on RHDS*
##################################################################################################################################



*STEPS FOLLOWED ON WINDOWS 2003 ADS BOX to **Set up SSL on the Active
Directory Server*
*
windows ads domain: example.com
windows FQDN: testing.example.com
*


   - Install a certificate authority in the Windows Components section in
   Add/Remove Programs .
   - Select the Enterprise Root CA option.
   - Make sure to use the hostname as the DN serverX and then for the domain
   dc=example,dc=com (note, this should resemble your FQDN)
   - Reboot Windows Machine
   - Log back in to the box...give it a little while, it's windows :-)
   - Got to Start>>Run>>mmc
   - Under File>>Add/Remove Snap-in
   - Click Add, Click Certificates, Click Add, Click Computer Account, Click
   Next and finish
   - Go to Trusted Root Certificates>>Certificates>>Right Click>>All
   Tasks>>Import
   - Go to where you copied the pk12 files from earlier and import the
   cacert.pk12  [CREATED IN RHDS RUNNING ON rhel ]

*Create DB Stores For PassSync in windows 2003 ads server*


   - Copy .pk12 files that were put on Windows system to C:\Program
   Files\Red Hat Directory Password Synchronization\
   - In this directory run certutil -d . -N (from dos command)
   - This creates empty db stores, next run the following to import your
   dscert.pk12 into the key store

 pk12util -d . -i dscert.pk12


   - Then give trusted peer status to the server

 certutil -d . -M -n server-cert -t "P,P,P"


*ERROR




When i executed the above  command on windows 2003 ads box  it giving
me following error



certutil.exe unable to decode trust strings error 0





Also the certificate created from rhel  box using certutil


is showing validation date  and expiration date as  current date and
time in both  CA Cert and   Server-cert



i checked the certificate content by  using


certutil ?L ?d . ?n    "Certificate Name"
certutil ?L ?d . ?n    "Server-cert"





  Plz help me how to troubleshoot this error.

Regards
lingu


*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20080629/82762ed0/attachment.html 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux