<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/21/2013 11:58 AM, Steve Dainard
wrote:<br>
</div>
<blockquote
cite="mid:CAHnsdUvVn+Z1D4pWicN_Dw_fG3FSVW__TstLpgNfDV_56f=k_A@mail.gmail.com"
type="cite">
<div dir="ltr">So over the weekend, with some serious tinkering I
managed to brick that install beyond recovery.
<div><br>
</div>
<div style="">I've reinstalled, setup freeipa as a standalone CA
with dns, and did the initial winsync agreement.</div>
<div style=""><br>
</div>
<div style="">After the initial agreement was synced I modified
the <span
style="color:rgb(51,51,51);font-size:13px;line-height:17.328125px">nsds7WindowsReplicaSubtree
entry</span></div>
</div>
</blockquote>
<br>
How? ldapmodify?<br>
<br>
<blockquote
cite="mid:CAHnsdUvVn+Z1D4pWicN_Dw_fG3FSVW__TstLpgNfDV_56f=k_A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style=""><span
style="color:rgb(51,51,51);font-size:13px;line-height:17.328125px">to
reflect the AD group I want users sync'd from: CN=Shared
Login, CN=Users,DC=miovision,DC=corp.</span></div>
</div>
</blockquote>
<br>
Why didn't you just specify "CN=Shared Login,
CN=Users,DC=miovision,DC=corp" initially with ipa-replica-manage
--win-subtree?<br>
<br>
<blockquote
cite="mid:CAHnsdUvVn+Z1D4pWicN_Dw_fG3FSVW__TstLpgNfDV_56f=k_A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style=""><span
style="color:rgb(51,51,51);font-size:13px;line-height:17.328125px">Note
when attempting to do an initial ldapsearch I got a 'can't
connect to LDAP server' message,</span></div>
</div>
</blockquote>
<br>
Can you provide the exact ldapsearch command line you tried?<br>
<br>
<blockquote
cite="mid:CAHnsdUvVn+Z1D4pWicN_Dw_fG3FSVW__TstLpgNfDV_56f=k_A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style=""><span
style="color:rgb(51,51,51);font-size:13px;line-height:17.328125px">and
had to manually start dirsrv... this is probably already a
bad sign.</span></div>
</div>
</blockquote>
<br>
Was dirsrv running after you modified the nsds7WindowsReplicaSubtree
entry?<br>
Did dirsrv crash? Do see any "Detected Disorderly Shutdown"
messages in your errors logs?<br>
<br>
<blockquote
cite="mid:CAHnsdUvVn+Z1D4pWicN_Dw_fG3FSVW__TstLpgNfDV_56f=k_A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style=""><br>
</div>
<div style=""><font color="#333333"><span
style="line-height:17.328125px">Although the documentation
mentions changes will be applied on next sync when '</span></font><span
style="color:rgb(51,51,51);font-size:13px;line-height:17.328125px">nsds7WindowsReplicaSubtree'
is changed, </span><span
style="line-height:17.328125px;color:rgb(51,51,51)">they do
not.</span></div>
</div>
</blockquote>
<br>
Did you use ldapmodify to change it?<br>
<br>
<blockquote
cite="mid:CAHnsdUvVn+Z1D4pWicN_Dw_fG3FSVW__TstLpgNfDV_56f=k_A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style=""><span
style="line-height:17.328125px;color:rgb(51,51,51)">Also if
I try to include the </span><span
style="color:rgb(51,51,51);font-size:13px;line-height:17.328125px">--win-subtree=CN=Shared
Login,CN=Users,DC=miovision,DC=corp argument I get an
invalid password message this might be because I didn't
quote the DN though.</span></div>
</div>
</blockquote>
<br>
Yes, that's likely.<br>
<br>
<blockquote
cite="mid:CAHnsdUvVn+Z1D4pWicN_Dw_fG3FSVW__TstLpgNfDV_56f=k_A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style=""><span
style="color:rgb(51,51,51);line-height:17.328125px">So I
then ran ipa-replica-manage re-initialize --from
dc1.miovision.corp.</span></div>
<div style=""><font color="#333333"><span
style="line-height:17.328125px"><br>
</span></font></div>
<div style=""><font color="#333333"><span
style="line-height:17.328125px">I now have a screen
session with an incredible amount of </span></font><span
style="line-height:17.328125px;color:rgb(51,51,51)">"Update
in progress" lines which has been running for about 30
minutes now (triggered at 12:58:56). I tried this on the
weekend as well, and the process ran overnight so I killed
it and had to start from scratch again.</span></div>
<div style=""><span
style="line-height:17.328125px;color:rgb(51,51,51)"><br>
</span></div>
<div style=""><span
style="line-height:17.328125px;color:rgb(51,51,51)">The
dirsrv error log is:</span></div>
<div style="">
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:24:01
-0400] - slapd started. Listening on All Interfaces
port 389 for LDAP requests</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:24:01
-0400] - Listening on All Interfaces port 636 for LDAPS
requests</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:24:01
-0400] - Listening on
/var/run/slapd-MIOVISION-LINUX.socket for LDAPI requests</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:13
-0400] - slapd shutting down - signaling operation
threads</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:13
-0400] - slapd shutting down - closing down internal
subsystems and plugins</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:13
-0400] - Waiting for 4 database threads to stop</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:13
-0400] - All database threads now stopped</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:13
-0400] - slapd stopped.</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:16
-0400] - 389-Directory/<a moz-do-not-send="true"
href="http://1.2.11.15">1.2.11.15</a> B2013.105.2259
starting up</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:16
-0400] schema-compat-plugin - warning: no entries set up
under cn=computers, cn=compat,dc=miovision,dc=linux</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:16
-0400] schema-compat-plugin - warning: no entries set up
under cn=ng, cn=compat,dc=miovision,dc=linux</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:16
-0400] schema-compat-plugin - warning: no entries set up
under ou=sudoers,dc=miovision,dc=linux</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:16
-0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=miovision,dc=linux--no CoS
Templates found, which should be added before the CoS
Definition.</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:16
-0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=miovision,dc=linux--no CoS
Templates found, which should be added before the CoS
Definition.</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:16
-0400] - slapd started. Listening on All Interfaces
port 389 for LDAP requests</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:16
-0400] - Listening on All Interfaces port 636 for LDAPS
requests</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:16
-0400] - Listening on
/var/run/slapd-MIOVISION-LINUX.socket for LDAPI requests</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:18
-0400] - Entry
"cn=meTodc1.miovision.corp,cn=replica,cn=dc\3Dmiovision\2Cdc\3Dlinux,cn=mapping
tree,cn=config" -- attribute
"nsDS5ReplicatedAttributeListTotal" not allowed</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:18
-0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): Replica has
no update vector. It has never been initialized.</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:18
-0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): Replica has
no update vector. It has never been initialized.</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:18
-0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): Replica has
no update vector. It has never been initialized.</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:20
-0400] NSMMReplicationPlugin - Beginning total update of
replica "agmt="cn=meTodc1.miovision.corp" (dc1:389)".</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:21
-0400] - Entry
"uid=krbtgt,cn=users,cn=accounts,dc=miovision,dc=linux"
missing attribute "sn" required by object class "person"</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:21
-0400] - Entry
"uid=krbtgt_18424,cn=users,cn=accounts,dc=miovision,dc=linux"
missing attribute "sn" required by object class "person"</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:21
-0400] - Entry
"uid=IUSR_MIOFILES,cn=users,cn=accounts,dc=miovision,dc=linux"
missing attribute "sn" required by object class "person"</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:21
-0400] - Entry
"uid=IWAM_MIOFILES,cn=users,cn=accounts,dc=miovision,dc=linux"
missing attribute "sn" required by object class "person"</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:21
-0400] - Entry
"uid=backup,cn=users,cn=accounts,dc=miovision,dc=linux"
missing attribute "sn" required by object class "person"</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:21
-0400] - Entry
"uid=Guest,cn=users,cn=accounts,dc=miovision,dc=linux"
missing attribute "sn" required by object class "person"</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:22
-0400] - Entry
"uid=ldap-auth,cn=users,cn=accounts,dc=miovision,dc=linux"
missing attribute "sn" required by object class "person"</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:22
-0400] - Entry
"uid=Administrator,cn=users,cn=accounts,dc=miovision,dc=linux"
missing attribute "sn" required by object class "person"</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:22
-0400] NSMMReplicationPlugin - Finished total update of
replica "agmt="cn=meTodc1.miovision.corp" (dc1:389)".
Sent 2 entries.</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:23
-0400] - slapd shutting down - signaling operation
threads</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:23
-0400] - slapd shutting down - closing down internal
subsystems and plugins</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:23
-0400] - Waiting for 4 database threads to stop</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:23
-0400] - All database threads now stopped</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:50:23
-0400] - slapd stopped.</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:54:14
-0400] - 389-Directory/<a moz-do-not-send="true"
href="http://1.2.11.15">1.2.11.15</a> B2013.105.2259
starting up</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:54:14
-0400] schema-compat-plugin - warning: no entries set up
under cn=computers, cn=compat,dc=miovision,dc=linux</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:54:14
-0400] schema-compat-plugin - warning: no entries set up
under cn=ng, cn=compat,dc=miovision,dc=linux</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:54:14
-0400] schema-compat-plugin - warning: no entries set up
under ou=sudoers,dc=miovision,dc=linux</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:54:14
-0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=miovision,dc=linux--no CoS
Templates found, which should be added before the CoS
Definition.</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:54:14
-0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=miovision,dc=linux--no CoS
Templates found, which should be added before the CoS
Definition.</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:54:14
-0400] - slapd started. Listening on All Interfaces
port 389 for LDAP requests</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:54:14
-0400] - Listening on All Interfaces port 636 for LDAPS
requests</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:54:14
-0400] - Listening on
/var/run/slapd-MIOVISION-LINUX.socket for LDAPI requests</span></font></div>
<div><font color="#333333"><span
style="line-height:17.328125px">[21/May/2013:12:58:56
-0400] NSMMReplicationPlugin - Beginning total update of
replica "agmt="cn=meTodc1.miovision.corp" (dc1:389)".</span></font></div>
<div style="color:rgb(51,51,51);line-height:17.328125px"><br>
</div>
</div>
<div style="">Am I encountering this issue because of the
win-subtree setting?</div>
</div>
</blockquote>
<br>
What issue?<br>
<br>
<blockquote
cite="mid:CAHnsdUvVn+Z1D4pWicN_Dw_fG3FSVW__TstLpgNfDV_56f=k_A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="">Is it considered bad practice to set a group like
this?</div>
</div>
</blockquote>
<br>
It should be fine.<br>
<br>
<blockquote
cite="mid:CAHnsdUvVn+Z1D4pWicN_Dw_fG3FSVW__TstLpgNfDV_56f=k_A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="">I'm not sure what else I would do, as this is the
only group which contains all of my users, and they reside in
their respective OU's instead of Users CN.</div>
</div>
</blockquote>
<br>
It should be fine.<br>
<br>
<blockquote
cite="mid:CAHnsdUvVn+Z1D4pWicN_Dw_fG3FSVW__TstLpgNfDV_56f=k_A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style=""><br>
</div>
<div style="">I've since enabled replication logging, but
addtional information is minimal:</div>
<div style="">
<div>
<div>[21/May/2013:12:58:56 -0400] NSMMReplicationPlugin -
Beginning total update of replica
"agmt="cn=meTodc1.miovision.corp" (dc1:389)".</div>
<div>[21/May/2013:13:54:14 -0400] NSMMReplicationPlugin -
Running Dirsync <br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
So it's hung here?<br>
<br>
<blockquote
cite="mid:CAHnsdUvVn+Z1D4pWicN_Dw_fG3FSVW__TstLpgNfDV_56f=k_A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="">
<div><br>
</div>
<div style=""><font color="#333333"><span
style="line-height:17.328125px">#top shows ns-slapd
maxing out the CPU.</span></font></div>
<div style=""><font color="#333333">
<div>
<div> PID USER PR NI VIRT RES SHR S %CPU %MEM
TIME+ COMMAND
</div>
<div> 5252 dirsrv 20 0 1177m 33m 8464 S 99.8 3.3
57:17.08 ns-slapd <br>
</div>
</div>
</font></div>
</div>
</div>
</blockquote>
<br>
<font color="#333333">Can you do a pstack of the process?<br>
<br>
pstack </font><font color="#333333">5252</font>
<blockquote
cite="mid:CAHnsdUvVn+Z1D4pWicN_Dw_fG3FSVW__TstLpgNfDV_56f=k_A@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br clear="all">
<div>
<div dir="ltr"><br>
<br>
<br>
Steve Dainard<br>
Infrastructure Manager
<div>
Miovision Technologies Inc.<br>
Phone: 519-513-2407 x250</div>
</div>
</div>
<br>
<br>
<div class="gmail_quote">On Fri, May 17, 2013 at 2:09 PM, Rich
Megginson <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5">
<div>On 05/17/2013 12:03 PM, Steve Dainard wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Thanks for getting me on the right track.</div>
<div><br>
</div>
Yes to the Windows sync agreement.
<div><br>
</div>
<div>I'm not sure if this is related to password
sync'ing, but it looks like a sync operation is
triggering (and failing) every 4 seconds on one
of my users:</div>
<div><br>
</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
State: start_backoff -> backoff<br>
</div>
<div>
<div>[17/May/2013:13:28:42 -0400] -
acquire_replica, supplier RUV:</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin - supplier:
{replicageneration} 50802036000000030000</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin - supplier: {replica 3 <a
moz-do-not-send="true">ldap://ipa1.miovision.linux:389</a>}
50802036000100030000 51966776000100030000
51966776</div>
<div>[17/May/2013:13:28:42 -0400] -
acquire_replica, consumer RUV:</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin - consumer:
{replicageneration} 50802036000000030000</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin - consumer: {replica 3 <a
moz-do-not-send="true">ldap://ipa1.miovision.linux:389</a>}
50802036000100030000 515ad91f000000030000
00000000</div>
<div>[17/May/2013:13:28:42 -0400] -
acquire_replica, supplier RUV is newer</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
Cancelling linger on the connection</div>
<div>[17/May/2013:13:28:42 -0400] -
_csngen_adjust_local_time: gen state before
519668c60001:1368811718:0:0</div>
<div>[17/May/2013:13:28:42 -0400] -
_csngen_adjust_local_time: gen state after
519668ca0000:1368811722:0:0</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
State: backoff -> sending_updates</div>
<div>[17/May/2013:13:28:42 -0400] -
csngen_adjust_time: gen state before
519668ca0001:1368811722:0:0</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin - changelog program -
_cl5GetDBFile: found DB object f6d910 for
database
/var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div>
<div>[17/May/2013:13:28:42 -0400] -
_cl5PositionCursorForReplay
(agmt="cn=meTodc1.miovision.corp" (dc1:389)):
Consumer RUV:</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
{replicageneration} 50802036000000030000</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
{replica 3 <a moz-do-not-send="true">ldap://ipa1.miovision.linux:389</a>}
50802036000100030000 515ad91f000000030000
00000000</div>
<div>[17/May/2013:13:28:42 -0400] -
_cl5PositionCursorForReplay
(agmt="cn=meTodc1.miovision.corp" (dc1:389)):
Supplier RUV:</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
{replicageneration} 50802036000000030000</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
{replica 3 <a moz-do-not-send="true">ldap://ipa1.miovision.linux:389</a>}
50802036000100030000 51966776000100030000
51966776</div>
<div>[17/May/2013:13:28:42 -0400]
agmt="cn=meTodc1.miovision.corp" (dc1:389) -
clcache_get_buffer: found thread private
buffer cache 7f30bc061d00</div>
<div>[17/May/2013:13:28:42 -0400]
agmt="cn=meTodc1.miovision.corp" (dc1:389) -
clcache_get_buffer: _pool is 2e7cc10
_pool->pl_busy_lists is 7f30bc050790
_pool->pl_busy_lists->bl_buffers is
7f30bc061d00</div>
<div>[17/May/2013:13:28:42 -0400]
agmt="cn=meTodc1.miovision.corp" (dc1:389) -
session start: anchorcsn=515ad91f000000030000</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin - changelog program -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
CSN 515ad91f000000030000 found, position set
for replay</div>
<div>[17/May/2013:13:28:42 -0400]
agmt="cn=meTodc1.miovision.corp" (dc1:389) -
load=1 rec=1 csn=515ae3f4000000030000</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
windows_replay_update: Looking at modify
operation local
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
(ours,user,not group)</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
map_entry_dn_outbound: looking for AD entry
for DS
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
guid="ba17f9770e0c814cb9eea9df2d4df61a"</div>
<div>[17/May/2013:13:28:42 -0400] - Calling
windows entry search request plugin</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin - Could not retrieve
entry from Windows using search base
[<GUID=ba17f9770e0c814cb9eea9df2d4df61a>]
scope [0] filter [(objectclass=*)]: error
1:Operations error</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
map_entry_dn_outbound: return code -1 from
search for AD entry
dn="<GUID=ba17f9770e0c814cb9eea9df2d4df61a>"
or dn="(null)"</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
map_entry_dn_outbound: entry not found - rc -1</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
windows_replay_update: Processing modify
operation local
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
remote
dn="<GUID=ba17f9770e0c814cb9eea9df2d4df61a>"</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
map_entry_dn_outbound: looking for AD entry
for DS
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
guid="ba17f9770e0c814cb9eea9df2d4df61a"</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
map_entry_dn_outbound: looking for AD entry
for DS
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
username="jkeller"</div>
<div>[17/May/2013:13:28:42 -0400] - Calling
windows entry search request plugin</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin - Could not retrieve
entry from Windows using search base
[dc=miovision,dc=corp] scope [2] filter
[(samAccountName=jkeller)]: error 1:Operations
error</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
map_entry_dn_outbound: entry not found - rc -1</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
map_entry_dn_outbound: failed to fetch entry
from AD:
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux",
err=-1</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
windows_replay_update: update password
returned 1</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
Consumer failed to replay change (uniqueid
cd3be819-21c711e2-96aaaa0d-17c9983f, CSN
515ae3f4000000030000): Operations error. Will
retry later.</div>
<div>[17/May/2013:13:28:42 -0400]
agmt="cn=meTodc1.miovision.corp" (dc1:389) -
session end: state=0 load=1 sent=1 skipped=0</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
Beginning linger on the connection</div>
<div>[17/May/2013:13:28:42 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
State: sending_updates -> start_backoff</div>
<div><br>
</div>
<div>
<div><br>
</div>
<div><br>
</div>
<div>Here's the output of an ldapsearch for
the user jkeller:</div>
<div><br>
</div>
<div>
<div>#/usr/bin/ldapsearch -h
dc1.miovision.corp -D <a
moz-do-not-send="true"
href="mailto:ldap-auth@miovision.corp"
target="_blank">"ldap-auth@miovision.corp"</a>
-W -b "dc=miovision,dc=corp"
'(samAccountName=jkeller)' cn
samAccountName</div>
<div><br>
</div>
</div>
<div>
<div># Joel Keller, 01Engineering,
miovision.corp</div>
<div>dn: CN=Joel
Keller,OU=01Engineering,DC=miovision,DC=corp</div>
<div>cn: Joel Keller</div>
<div>sAMAccountName: jkeller</div>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>When I change my password on the IPA
server, it looks like the change is queued:</div>
<div><br>
</div>
<div>
<div>[17/May/2013:13:53:48 -0400] -
_csngen_adjust_local_time: gen state before
51966eab0001:1368813227:0:0</div>
<div>[17/May/2013:13:53:48 -0400] -
_csngen_adjust_local_time: gen state after
51966eac0000:1368813228:0:0</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin -
ruv_add_csn_inprogress: successfully
inserted csn 51966eac000000030000 into
pending list</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin - Purged state
information from entry
uid=sdainard,cn=users,cn=accounts,dc=miovision,dc=linux
up to CSN 518d33f90007000300</div>
<div>00</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin - changelog program -
_cl5GetDBFileByReplicaName: found DB object
f6d910 for database
/var/lib/dirsrv/slapd-MIOVISION-LINU</div>
<div>X/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin - changelog program -
_cl5GetDBFileByReplicaName: found DB object
f6d910 for database
/var/lib/dirsrv/slapd-MIOVISION-LINU</div>
<div>X/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin - ruv_update_ruv:
successfully committed csn
51966eac000000030000</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin -
ruv_add_csn_inprogress: successfully
inserted csn 51966eac000100030000 into
pending list</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin - Purged state
information from entry
uid=sdainard,cn=users,cn=accounts,dc=miovision,dc=linux
up to CSN 518d342c0000000300</div>
<div>00</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin - changelog program -
_cl5GetDBFileByReplicaName: found DB object
f6d910 for database
/var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin - changelog program -
_cl5GetDBFileByReplicaName: found DB object
f6d910 for database
/var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin - ruv_update_ruv:
successfully committed csn
51966eac000100030000</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
State: start_backoff -> backoff</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin -
ruv_add_csn_inprogress: successfully
inserted csn 51966eac000200030000 into
pending list</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin - Purged state
information from entry
uid=sdainard,cn=users,cn=accounts,dc=miovision,dc=linux
up to CSN 518d342c000100030000</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin - changelog program -
_cl5GetDBFileByReplicaName: found DB object
f6d910 for database
/var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin - changelog program -
_cl5GetDBFileByReplicaName: found DB object
f6d910 for database
/var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin - ruv_update_ruv:
successfully committed csn
51966eac000200030000</div>
<div>[17/May/2013:13:53:48 -0400]
NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
State: backoff -> backoff</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Perhaps whatever is causing the sync error
with user jkeller is holding up the queued
transactions?</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
Yes. It is attempting to replay the password change
operation. It first tries to find the entry in AD, but
that is failing with operations error.<br>
<br>
Try doing the ldapsearch with the same bind DN and
password you specified when you set up the winsync
agreement. Or did you use <a moz-do-not-send="true"
href="mailto:ldap-auth@miovision.corp" target="_blank">"ldap-auth@miovision.corp"</a>?<br>
<br>
Another difference is that winsync uses LDAPS - so try
this:<br>
<br>
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch
-H <a moz-do-not-send="true">ldaps://dc1.miovision.corp</a>
-D <a moz-do-not-send="true"
href="mailto:ldap-auth@miovision.corp" target="_blank">"ldap-auth@miovision.corp"</a>
-W -b "dc=miovision,dc=corp" '(samAccountName=jkeller)' cn
samAccountName
<div>
<div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra"><br clear="all">
<div>
<div dir="ltr"> <br>
<br>
<br>
Steve Dainard<br>
Infrastructure Manager
<div>Miovision Technologies Inc.<br>
<br>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Fri, May 17, 2013 at
11:39 AM, Rich Megginson <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>On 05/17/2013 09:26 AM, Steve
Dainard wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>We're running a single IPA
server (CentOS 6) on our network
as a side project for some testing
before we implement.</div>
<div><br>
</div>
<div>It had been a significant
period of time since I had last
logged into the web interface, so
I had to kinit from a client
machine (of which I had logged
into successfully with my domain
password), at which point I was
requested to change my password.
After the password change I RDP'd
into a Windows machine on our
domain and realized the password
had not been updated on the domain
controller.</div>
<div><br>
</div>
<div>Is the password sync feature
with an external source such as
Active Directory supposed to be
two-way? If so where can I start
troubleshooting this issue?</div>
</div>
</blockquote>
<br>
</div>
Are you talking about a windows sync
agreement you set up with
ipa-replica-manage?<br>
If so, yes, the password sync is supposed
to be two-way.<br>
Try this:<br>
turn on the replication log level <a
moz-do-not-send="true"
href="http://port389.org/wiki/FAQ#Troubleshooting"
target="_blank">http://port389.org/wiki/FAQ#Troubleshooting</a><br>
change your IPA password<br>
turn off the replication log level <a
moz-do-not-send="true"
href="http://port389.org/wiki/FAQ#Troubleshooting"
target="_blank">http://port389.org/wiki/FAQ#Troubleshooting</a><br>
see if you can use your new password in AD<br>
<br>
The 389 errors log in
/var/log/dirsrv/slapd-YOUR-DOMAIN/errors
may contain a clue.<br>
<br>
<blockquote type="cite">
<div>
<div dir="ltr">
<div><br>
</div>
<div>Thanks,<br clear="all">
<div>
<div dir="ltr"><br>
<br>
<br>
Steve Dainard<br>
Infrastructure Manager
<div>Miovision Technologies
Inc.<br>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>