<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 05/17/2013 12:03 PM, Steve Dainard wrote:<br> </div> <blockquote cite="mid:CAHnsdUvMWvcCD8joaMkvVaihbtaSPmZTpGO22O-5EW1=WPtp+Q@mail.gmail.com" type="cite"> <div dir="ltr"> <div style="">Thanks for getting me on the right track.</div> <div><br> </div> Yes to the Windows sync agreement. <div><br> </div> <div>I'm not sure if this is related to password sync'ing, but it looks like a sync operation is triggering (and failing) every 4 seconds on one of my users:</div> <div><br> </div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): State: start_backoff -> backoff<br> </div> <div> <div>[17/May/2013:13:28:42 -0400] - acquire_replica, supplier RUV:</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - supplier: {replicageneration} 50802036000000030000</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - supplier: {replica 3 <a class="moz-txt-link-freetext" href="ldap://ipa1.miovision.linux:389">ldap://ipa1.miovision.linux:389</a>} 50802036000100030000 51966776000100030000 51966776</div> <div>[17/May/2013:13:28:42 -0400] - acquire_replica, consumer RUV:</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - consumer: {replicageneration} 50802036000000030000</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - consumer: {replica 3 <a class="moz-txt-link-freetext" href="ldap://ipa1.miovision.linux:389">ldap://ipa1.miovision.linux:389</a>} 50802036000100030000 515ad91f000000030000 00000000</div> <div>[17/May/2013:13:28:42 -0400] - acquire_replica, supplier RUV is newer</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): Cancelling linger on the connection</div> <div>[17/May/2013:13:28:42 -0400] - _csngen_adjust_local_time: gen state before 519668c60001:1368811718:0:0</div> <div>[17/May/2013:13:28:42 -0400] - _csngen_adjust_local_time: gen state after 519668ca0000:1368811722:0:0</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): State: backoff -> sending_updates</div> <div>[17/May/2013:13:28:42 -0400] - csngen_adjust_time: gen state before 519668ca0001:1368811722:0:0</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - changelog program - _cl5GetDBFile: found DB object f6d910 for database /var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div> <div>[17/May/2013:13:28:42 -0400] - _cl5PositionCursorForReplay (agmt="cn=meTodc1.miovision.corp" (dc1:389)): Consumer RUV:</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): {replicageneration} 50802036000000030000</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): {replica 3 <a class="moz-txt-link-freetext" href="ldap://ipa1.miovision.linux:389">ldap://ipa1.miovision.linux:389</a>} 50802036000100030000 515ad91f000000030000 00000000</div> <div>[17/May/2013:13:28:42 -0400] - _cl5PositionCursorForReplay (agmt="cn=meTodc1.miovision.corp" (dc1:389)): Supplier RUV:</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): {replicageneration} 50802036000000030000</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): {replica 3 <a class="moz-txt-link-freetext" href="ldap://ipa1.miovision.linux:389">ldap://ipa1.miovision.linux:389</a>} 50802036000100030000 51966776000100030000 51966776</div> <div>[17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp" (dc1:389) - clcache_get_buffer: found thread private buffer cache 7f30bc061d00</div> <div>[17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp" (dc1:389) - clcache_get_buffer: _pool is 2e7cc10 _pool->pl_busy_lists is 7f30bc050790 _pool->pl_busy_lists->bl_buffers is 7f30bc061d00</div> <div>[17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp" (dc1:389) - session start: anchorcsn=515ad91f000000030000</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - changelog program - agmt="cn=meTodc1.miovision.corp" (dc1:389): CSN 515ad91f000000030000 found, position set for replay</div> <div>[17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp" (dc1:389) - load=1 rec=1 csn=515ae3f4000000030000</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): windows_replay_update: Looking at modify operation local dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux" (ours,user,not group)</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): map_entry_dn_outbound: looking for AD entry for DS dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux" guid="ba17f9770e0c814cb9eea9df2d4df61a"</div> <div>[17/May/2013:13:28:42 -0400] - Calling windows entry search request plugin</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - Could not retrieve entry from Windows using search base [<GUID=ba17f9770e0c814cb9eea9df2d4df61a>] scope [0] filter [(objectclass=*)]: error 1:Operations error</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): map_entry_dn_outbound: return code -1 from search for AD entry dn="<GUID=ba17f9770e0c814cb9eea9df2d4df61a>" or dn="(null)"</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): map_entry_dn_outbound: entry not found - rc -1</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): windows_replay_update: Processing modify operation local dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux" remote dn="<GUID=ba17f9770e0c814cb9eea9df2d4df61a>"</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): map_entry_dn_outbound: looking for AD entry for DS dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux" guid="ba17f9770e0c814cb9eea9df2d4df61a"</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): map_entry_dn_outbound: looking for AD entry for DS dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux" username="jkeller"</div> <div>[17/May/2013:13:28:42 -0400] - Calling windows entry search request plugin</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - Could not retrieve entry from Windows using search base [dc=miovision,dc=corp] scope [2] filter [(samAccountName=jkeller)]: error 1:Operations error</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): map_entry_dn_outbound: entry not found - rc -1</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): map_entry_dn_outbound: failed to fetch entry from AD: dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux", err=-1</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): windows_replay_update: update password returned 1</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): Consumer failed to replay change (uniqueid cd3be819-21c711e2-96aaaa0d-17c9983f, CSN 515ae3f4000000030000): Operations error. Will retry later.</div> <div>[17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp" (dc1:389) - session end: state=0 load=1 sent=1 skipped=0</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): Beginning linger on the connection</div> <div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): State: sending_updates -> start_backoff</div> <div><br> </div> <div> <div><br> </div> <div><br> </div> <div>Here's the output of an ldapsearch for the user jkeller:</div> <div><br> </div> <div> <div>#/usr/bin/ldapsearch -h dc1.miovision.corp -D <a class="moz-txt-link-rfc2396E" href="mailto:ldap-auth@miovision.corp">"ldap-auth@miovision.corp"</a> -W -b "dc=miovision,dc=corp" '(samAccountName=jkeller)' cn samAccountName</div> <div><br> </div> </div> <div> <div># Joel Keller, 01Engineering, miovision.corp</div> <div>dn: CN=Joel Keller,OU=01Engineering,DC=miovision,DC=corp</div> <div>cn: Joel Keller</div> <div>sAMAccountName: jkeller</div> </div> </div> <div><br> </div> <div><br> </div> <div><br> </div> <div style="">When I change my password on the IPA server, it looks like the change is queued:</div> <div style=""><br> </div> <div style=""> <div>[17/May/2013:13:53:48 -0400] - _csngen_adjust_local_time: gen state before 51966eab0001:1368813227:0:0</div> <div>[17/May/2013:13:53:48 -0400] - _csngen_adjust_local_time: gen state after 51966eac0000:1368813228:0:0</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 51966eac000000030000 into pending list</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - Purged state information from entry uid=sdainard,cn=users,cn=accounts,dc=miovision,dc=linux up to CSN 518d33f90007000300</div> <div>00</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object f6d910 for database /var/lib/dirsrv/slapd-MIOVISION-LINU</div> <div>X/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object f6d910 for database /var/lib/dirsrv/slapd-MIOVISION-LINU</div> <div>X/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 51966eac000000030000</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 51966eac000100030000 into pending list</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - Purged state information from entry uid=sdainard,cn=users,cn=accounts,dc=miovision,dc=linux up to CSN 518d342c0000000300</div> <div>00</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object f6d910 for database /var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object f6d910 for database /var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 51966eac000100030000</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): State: start_backoff -> backoff</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 51966eac000200030000 into pending list</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - Purged state information from entry uid=sdainard,cn=users,cn=accounts,dc=miovision,dc=linux up to CSN 518d342c000100030000</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object f6d910 for database /var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object f6d910 for database /var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 51966eac000200030000</div> <div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): State: backoff -> backoff</div> <div><br> </div> </div> <div><br> </div> <div><br> </div> <div style="">Perhaps whatever is causing the sync error with user jkeller is holding up the queued transactions?</div> </div> </div> </blockquote> <br> Yes. It is attempting to replay the password change operation. It first tries to find the entry in AD, but that is failing with operations error.<br> <br> Try doing the ldapsearch with the same bind DN and password you specified when you set up the winsync agreement. Or did you use <a class="moz-txt-link-rfc2396E" href="mailto:ldap-auth@miovision.corp">"ldap-auth@miovision.corp"</a>?<br> <br> Another difference is that winsync uses LDAPS - so try this:<br> <br> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -H <a class="moz-txt-link-freetext" href="ldaps://dc1.miovision.corp">ldaps://dc1.miovision.corp</a> -D <a class="moz-txt-link-rfc2396E" href="mailto:ldap-auth@miovision.corp">"ldap-auth@miovision.corp"</a> -W -b "dc=miovision,dc=corp" '(samAccountName=jkeller)' cn samAccountName<br> <br> <blockquote cite="mid:CAHnsdUvMWvcCD8joaMkvVaihbtaSPmZTpGO22O-5EW1=WPtp+Q@mail.gmail.com" type="cite"> <div dir="ltr"> <div class="gmail_extra"><br clear="all"> <div> <div dir="ltr"> <br> <br> <br> Steve Dainard<br> Infrastructure Manager <div>Miovision Technologies Inc.<br> <br> </div> </div> </div> <br> <div class="gmail_quote">On Fri, May 17, 2013 at 11:39 AM, Rich Megginson <span dir="ltr"><<a moz-do-not-send="true" href="mailto:rmeggins@redhat.com" target="_blank" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=rmeggins@redhat.com&cc=&bcc=&su=&body=','_blank');return false;">rmeggins@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> <div class="im"> <div>On 05/17/2013 09:26 AM, Steve Dainard wrote:<br> </div> <blockquote type="cite"> <div dir="ltr">Hello, <div><br> </div> <div>We're running a single IPA server (CentOS 6) on our network as a side project for some testing before we implement.</div> <div><br> </div> <div>It had been a significant period of time since I had last logged into the web interface, so I had to kinit from a client machine (of which I had logged into successfully with my domain password), at which point I was requested to change my password. After the password change I RDP'd into a Windows machine on our domain and realized the password had not been updated on the domain controller.</div> <div><br> </div> <div>Is the password sync feature with an external source such as Active Directory supposed to be two-way? If so where can I start troubleshooting this issue?</div> </div> </blockquote> <br> </div> Are you talking about a windows sync agreement you set up with ipa-replica-manage?<br> If so, yes, the password sync is supposed to be two-way.<br> Try this:<br> turn on the replication log level <a moz-do-not-send="true" href="http://port389.org/wiki/FAQ#Troubleshooting" target="_blank">http://port389.org/wiki/FAQ#Troubleshooting</a><br> change your IPA password<br> turn off the replication log level <a moz-do-not-send="true" href="http://port389.org/wiki/FAQ#Troubleshooting" target="_blank">http://port389.org/wiki/FAQ#Troubleshooting</a><br> see if you can use your new password in AD<br> <br> The 389 errors log in /var/log/dirsrv/slapd-YOUR-DOMAIN/errors may contain a clue.<br> <br> <blockquote type="cite"> <div class="im"> <div dir="ltr"> <div><br> </div> <div>Thanks,<br clear="all"> <div> <div dir="ltr"><br> <br> <br> Steve Dainard<br> Infrastructure Manager <div>Miovision Technologies Inc.<br> </div> </div> </div> </div> </div> <br> <fieldset></fieldset> <br> </div> <pre>_______________________________________________ Freeipa-users mailing list <a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=Freeipa-users@redhat.com&cc=&bcc=&su=&body=','_blank');return false;">Freeipa-users@redhat.com</a> <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> </div> </blockquote> </div> <br> </div> </div> </blockquote> <br> </body> </html>