<div dir="ltr">So over the weekend, with some serious tinkering I managed to brick that install beyond recovery.<div><br></div><div style>I've reinstalled, setup freeipa as a standalone CA with dns, and did the initial winsync agreement.</div>
<div style><br></div><div style>After the initial agreement was synced I modified the <span style="color:rgb(51,51,51);font-size:13px;line-height:17.328125px">nsds7WindowsReplicaSubtree entry to reflect the AD group I want users sync'd from: CN=Shared Login, CN=Users,DC=miovision,DC=corp. Note when attempting to do an initial ldapsearch I got a 'can't connect to LDAP server' message, and had to manually start dirsrv... this is probably already a bad sign.</span></div>
<div style><br></div><div style><font color="#333333"><span style="line-height:17.328125px">Although the documentation mentions changes will be applied on next sync when '</span></font><span style="color:rgb(51,51,51);font-size:13px;line-height:17.328125px">nsds7WindowsReplicaSubtree' is changed, </span><span style="line-height:17.328125px;color:rgb(51,51,51)">they do not. Also if I try to include the </span><span style="color:rgb(51,51,51);font-size:13px;line-height:17.328125px">--win-subtree=CN=Shared Login,CN=Users,DC=miovision,DC=corp argument I get an invalid password message this might be because I didn't quote the DN though.</span><span style="color:rgb(51,51,51);line-height:17.328125px"> So I then ran ipa-replica-manage re-initialize --from dc1.miovision.corp.</span></div>
<div style><font color="#333333"><span style="line-height:17.328125px"><br></span></font></div><div style><font color="#333333"><span style="line-height:17.328125px">I now have a screen session with an incredible amount of </span></font><span style="line-height:17.328125px;color:rgb(51,51,51)">"Update in progress" lines which has been running for about 30 minutes now (triggered at 12:58:56). I tried this on the weekend as well, and the process ran overnight so I killed it and had to start from scratch again.</span></div>
<div style><span style="line-height:17.328125px;color:rgb(51,51,51)"><br></span></div><div style><span style="line-height:17.328125px;color:rgb(51,51,51)">The dirsrv error log is:</span></div><div style><div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:24:01 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:24:01 -0400] - Listening on All Interfaces port 636 for LDAPS requests</span></font></div><div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:24:01 -0400] - Listening on /var/run/slapd-MIOVISION-LINUX.socket for LDAPI requests</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:13 -0400] - slapd shutting down - signaling operation threads</span></font></div><div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:13 -0400] - slapd shutting down - closing down internal subsystems and plugins</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:13 -0400] - Waiting for 4 database threads to stop</span></font></div><div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:13 -0400] - All database threads now stopped</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:13 -0400] - slapd stopped.</span></font></div><div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:16 -0400] - 389-Directory/<a href="http://1.2.11.15">1.2.11.15</a> B2013.105.2259 starting up</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:16 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=miovision,dc=linux</span></font></div><div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:16 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=miovision,dc=linux</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:16 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=miovision,dc=linux</span></font></div><div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:16 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=miovision,dc=linux--no CoS Templates found, which should be added before the CoS Definition.</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:16 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=miovision,dc=linux--no CoS Templates found, which should be added before the CoS Definition.</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:16 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests</span></font></div><div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:16 -0400] - Listening on All Interfaces port 636 for LDAPS requests</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:16 -0400] - Listening on /var/run/slapd-MIOVISION-LINUX.socket for LDAPI requests</span></font></div><div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:18 -0400] - Entry "cn=meTodc1.miovision.corp,cn=replica,cn=dc\3Dmiovision\2Cdc\3Dlinux,cn=mapping tree,cn=config" -- attribute "nsDS5ReplicatedAttributeListTotal" not allowed</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:18 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): Replica has no update vector. It has never been initialized.</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:18 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): Replica has no update vector. It has never been initialized.</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:18 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): Replica has no update vector. It has never been initialized.</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:20 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTodc1.miovision.corp" (dc1:389)".</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:21 -0400] - Entry "uid=krbtgt,cn=users,cn=accounts,dc=miovision,dc=linux" missing attribute "sn" required by object class "person"</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:21 -0400] - Entry "uid=krbtgt_18424,cn=users,cn=accounts,dc=miovision,dc=linux" missing attribute "sn" required by object class "person"</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:21 -0400] - Entry "uid=IUSR_MIOFILES,cn=users,cn=accounts,dc=miovision,dc=linux" missing attribute "sn" required by object class "person"</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:21 -0400] - Entry "uid=IWAM_MIOFILES,cn=users,cn=accounts,dc=miovision,dc=linux" missing attribute "sn" required by object class "person"</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:21 -0400] - Entry "uid=backup,cn=users,cn=accounts,dc=miovision,dc=linux" missing attribute "sn" required by object class "person"</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:21 -0400] - Entry "uid=Guest,cn=users,cn=accounts,dc=miovision,dc=linux" missing attribute "sn" required by object class "person"</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:22 -0400] - Entry "uid=ldap-auth,cn=users,cn=accounts,dc=miovision,dc=linux" missing attribute "sn" required by object class "person"</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:22 -0400] - Entry "uid=Administrator,cn=users,cn=accounts,dc=miovision,dc=linux" missing attribute "sn" required by object class "person"</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:22 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=meTodc1.miovision.corp" (dc1:389)". Sent 2 entries.</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:23 -0400] - slapd shutting down - signaling operation threads</span></font></div><div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:23 -0400] - slapd shutting down - closing down internal subsystems and plugins</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:23 -0400] - Waiting for 4 database threads to stop</span></font></div><div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:23 -0400] - All database threads now stopped</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:50:23 -0400] - slapd stopped.</span></font></div><div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:54:14 -0400] - 389-Directory/<a href="http://1.2.11.15">1.2.11.15</a> B2013.105.2259 starting up</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:54:14 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=miovision,dc=linux</span></font></div><div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:54:14 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=miovision,dc=linux</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:54:14 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=miovision,dc=linux</span></font></div><div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:54:14 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=miovision,dc=linux--no CoS Templates found, which should be added before the CoS Definition.</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:54:14 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=miovision,dc=linux--no CoS Templates found, which should be added before the CoS Definition.</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:54:14 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests</span></font></div><div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:54:14 -0400] - Listening on All Interfaces port 636 for LDAPS requests</span></font></div>
<div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:54:14 -0400] - Listening on /var/run/slapd-MIOVISION-LINUX.socket for LDAPI requests</span></font></div><div><font color="#333333"><span style="line-height:17.328125px">[21/May/2013:12:58:56 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTodc1.miovision.corp" (dc1:389)".</span></font></div>
<div style="color:rgb(51,51,51);line-height:17.328125px"><br></div></div><div style>Am I encountering this issue because of the win-subtree setting? Is it considered bad practice to set a group like this? I'm not sure what else I would do, as this is the only group which contains all of my users, and they reside in their respective OU's instead of Users CN.</div>
<div style><br></div><div style>I've since enabled replication logging, but addtional information is minimal:</div><div style><div><div>[21/May/2013:12:58:56 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTodc1.miovision.corp" (dc1:389)".</div>
<div>[21/May/2013:13:54:14 -0400] NSMMReplicationPlugin - Running Dirsync </div></div><div><br></div><div style><font color="#333333"><span style="line-height:17.328125px">#top shows ns-slapd maxing out the CPU.</span></font></div>
<div style><font color="#333333"><div><div> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND </div>
<div> 5252 dirsrv 20 0 1177m 33m 8464 S 99.8 3.3 57:17.08 ns-slapd </div></div></font></div></div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><br><br><br>Steve Dainard<br>Infrastructure Manager<div>
Miovision Technologies Inc.<br>Phone: 519-513-2407 x250</div></div></div>
<br><br><div class="gmail_quote">On Fri, May 17, 2013 at 2:09 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
<div>On 05/17/2013 12:03 PM, Steve Dainard
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Thanks for getting me on the right track.</div>
<div><br>
</div>
Yes to the Windows sync agreement.
<div><br>
</div>
<div>I'm not sure if this is related to password sync'ing, but
it looks like a sync operation is triggering (and failing)
every 4 seconds on one of my users:</div>
<div><br>
</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): State:
start_backoff -> backoff<br>
</div>
<div>
<div>[17/May/2013:13:28:42 -0400] - acquire_replica, supplier
RUV:</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
supplier: {replicageneration} 50802036000000030000</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
supplier: {replica 3 <a>ldap://ipa1.miovision.linux:389</a>}
50802036000100030000 51966776000100030000 51966776</div>
<div>[17/May/2013:13:28:42 -0400] - acquire_replica, consumer
RUV:</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
consumer: {replicageneration} 50802036000000030000</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
consumer: {replica 3 <a>ldap://ipa1.miovision.linux:389</a>}
50802036000100030000 515ad91f000000030000 00000000</div>
<div>[17/May/2013:13:28:42 -0400] - acquire_replica, supplier
RUV is newer</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): Cancelling
linger on the connection</div>
<div>[17/May/2013:13:28:42 -0400] - _csngen_adjust_local_time:
gen state before 519668c60001:1368811718:0:0</div>
<div>[17/May/2013:13:28:42 -0400] - _csngen_adjust_local_time:
gen state after 519668ca0000:1368811722:0:0</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): State: backoff
-> sending_updates</div>
<div>[17/May/2013:13:28:42 -0400] - csngen_adjust_time: gen
state before 519668ca0001:1368811722:0:0</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
changelog program - _cl5GetDBFile: found DB object f6d910
for database
/var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div>
<div>[17/May/2013:13:28:42 -0400] -
_cl5PositionCursorForReplay
(agmt="cn=meTodc1.miovision.corp" (dc1:389)): Consumer RUV:</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
{replicageneration} 50802036000000030000</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): {replica 3
<a>ldap://ipa1.miovision.linux:389</a>} 50802036000100030000
515ad91f000000030000 00000000</div>
<div>[17/May/2013:13:28:42 -0400] -
_cl5PositionCursorForReplay
(agmt="cn=meTodc1.miovision.corp" (dc1:389)): Supplier RUV:</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
{replicageneration} 50802036000000030000</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): {replica 3
<a>ldap://ipa1.miovision.linux:389</a>} 50802036000100030000
51966776000100030000 51966776</div>
<div>[17/May/2013:13:28:42 -0400]
agmt="cn=meTodc1.miovision.corp" (dc1:389) -
clcache_get_buffer: found thread private buffer cache
7f30bc061d00</div>
<div>[17/May/2013:13:28:42 -0400]
agmt="cn=meTodc1.miovision.corp" (dc1:389) -
clcache_get_buffer: _pool is 2e7cc10 _pool->pl_busy_lists
is 7f30bc050790 _pool->pl_busy_lists->bl_buffers is
7f30bc061d00</div>
<div>[17/May/2013:13:28:42 -0400]
agmt="cn=meTodc1.miovision.corp" (dc1:389) - session start:
anchorcsn=515ad91f000000030000</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
changelog program - agmt="cn=meTodc1.miovision.corp"
(dc1:389): CSN 515ad91f000000030000 found, position set for
replay</div>
<div>[17/May/2013:13:28:42 -0400]
agmt="cn=meTodc1.miovision.corp" (dc1:389) - load=1 rec=1
csn=515ae3f4000000030000</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
windows_replay_update: Looking at modify operation local
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
(ours,user,not group)</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
map_entry_dn_outbound: looking for AD entry for DS
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
guid="ba17f9770e0c814cb9eea9df2d4df61a"</div>
<div>[17/May/2013:13:28:42 -0400] - Calling windows entry
search request plugin</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
Could not retrieve entry from Windows using search base
[<GUID=ba17f9770e0c814cb9eea9df2d4df61a>] scope [0]
filter [(objectclass=*)]: error 1:Operations error</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
map_entry_dn_outbound: return code -1 from search for AD
entry dn="<GUID=ba17f9770e0c814cb9eea9df2d4df61a>" or
dn="(null)"</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
map_entry_dn_outbound: entry not found - rc -1</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
windows_replay_update: Processing modify operation local
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
remote dn="<GUID=ba17f9770e0c814cb9eea9df2d4df61a>"</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
map_entry_dn_outbound: looking for AD entry for DS
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
guid="ba17f9770e0c814cb9eea9df2d4df61a"</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
map_entry_dn_outbound: looking for AD entry for DS
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
username="jkeller"</div>
<div>[17/May/2013:13:28:42 -0400] - Calling windows entry
search request plugin</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
Could not retrieve entry from Windows using search base
[dc=miovision,dc=corp] scope [2] filter
[(samAccountName=jkeller)]: error 1:Operations error</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
map_entry_dn_outbound: entry not found - rc -1</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
map_entry_dn_outbound: failed to fetch entry from AD:
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux",
err=-1</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389):
windows_replay_update: update password returned 1</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): Consumer failed
to replay change (uniqueid
cd3be819-21c711e2-96aaaa0d-17c9983f, CSN
515ae3f4000000030000): Operations error. Will retry later.</div>
<div>[17/May/2013:13:28:42 -0400]
agmt="cn=meTodc1.miovision.corp" (dc1:389) - session end:
state=0 load=1 sent=1 skipped=0</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): Beginning linger
on the connection</div>
<div>[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): State:
sending_updates -> start_backoff</div>
<div><br>
</div>
<div>
<div><br>
</div>
<div><br>
</div>
<div>Here's the output of an ldapsearch for the user
jkeller:</div>
<div><br>
</div>
<div>
<div>#/usr/bin/ldapsearch -h dc1.miovision.corp -D
<a href="mailto:ldap-auth@miovision.corp" target="_blank">"ldap-auth@miovision.corp"</a> -W -b "dc=miovision,dc=corp"
'(samAccountName=jkeller)' cn samAccountName</div>
<div><br>
</div>
</div>
<div>
<div># Joel Keller, 01Engineering, miovision.corp</div>
<div>dn: CN=Joel
Keller,OU=01Engineering,DC=miovision,DC=corp</div>
<div>cn: Joel Keller</div>
<div>sAMAccountName: jkeller</div>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>When I change my password on the IPA server, it
looks like the change is queued:</div>
<div><br>
</div>
<div>
<div>[17/May/2013:13:53:48 -0400] -
_csngen_adjust_local_time: gen state before
51966eab0001:1368813227:0:0</div>
<div>[17/May/2013:13:53:48 -0400] -
_csngen_adjust_local_time: gen state after
51966eac0000:1368813228:0:0</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
ruv_add_csn_inprogress: successfully inserted csn
51966eac000000030000 into pending list</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
Purged state information from entry
uid=sdainard,cn=users,cn=accounts,dc=miovision,dc=linux up
to CSN 518d33f90007000300</div>
<div>00</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
changelog program - _cl5GetDBFileByReplicaName: found DB
object f6d910 for database
/var/lib/dirsrv/slapd-MIOVISION-LINU</div>
<div>X/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
changelog program - _cl5GetDBFileByReplicaName: found DB
object f6d910 for database
/var/lib/dirsrv/slapd-MIOVISION-LINU</div>
<div>X/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
ruv_update_ruv: successfully committed csn
51966eac000000030000</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
ruv_add_csn_inprogress: successfully inserted csn
51966eac000100030000 into pending list</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
Purged state information from entry
uid=sdainard,cn=users,cn=accounts,dc=miovision,dc=linux up
to CSN 518d342c0000000300</div>
<div>00</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
changelog program - _cl5GetDBFileByReplicaName: found DB
object f6d910 for database
/var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
changelog program - _cl5GetDBFileByReplicaName: found DB
object f6d910 for database
/var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
ruv_update_ruv: successfully committed csn
51966eac000100030000</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): State:
start_backoff -> backoff</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
ruv_add_csn_inprogress: successfully inserted csn
51966eac000200030000 into pending list</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
Purged state information from entry
uid=sdainard,cn=users,cn=accounts,dc=miovision,dc=linux up
to CSN 518d342c000100030000</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
changelog program - _cl5GetDBFileByReplicaName: found DB
object f6d910 for database
/var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
changelog program - _cl5GetDBFileByReplicaName: found DB
object f6d910 for database
/var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
ruv_update_ruv: successfully committed csn
51966eac000200030000</div>
<div>[17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): State: backoff
-> backoff</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Perhaps whatever is causing the sync error with
user jkeller is holding up the queued transactions?</div>
</div>
</div>
</blockquote>
<br></div></div>
Yes. It is attempting to replay the password change operation. It
first tries to find the entry in AD, but that is failing with
operations error.<br>
<br>
Try doing the ldapsearch with the same bind DN and password you
specified when you set up the winsync agreement. Or did you use
<a href="mailto:ldap-auth@miovision.corp" target="_blank">"ldap-auth@miovision.corp"</a>?<br>
<br>
Another difference is that winsync uses LDAPS - so try this:<br>
<br>
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -H
<a>ldaps://dc1.miovision.corp</a> -D <a href="mailto:ldap-auth@miovision.corp" target="_blank">"ldap-auth@miovision.corp"</a> -W -b
"dc=miovision,dc=corp" '(samAccountName=jkeller)' cn samAccountName<div><div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra"><br clear="all">
<div>
<div dir="ltr">
<br>
<br>
<br>
Steve Dainard<br>
Infrastructure Manager
<div>Miovision Technologies Inc.<br>
<br>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Fri, May 17, 2013 at 11:39 AM,
Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>On 05/17/2013 09:26 AM, Steve Dainard wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>We're running a single IPA server (CentOS 6)
on our network as a side project for some
testing before we implement.</div>
<div><br>
</div>
<div>It had been a significant period of time
since I had last logged into the web interface,
so I had to kinit from a client machine (of
which I had logged into successfully with my
domain password), at which point I was requested
to change my password. After the password change
I RDP'd into a Windows machine on our domain and
realized the password had not been updated on
the domain controller.</div>
<div><br>
</div>
<div>Is the password sync feature with an external
source such as Active Directory supposed to be
two-way? If so where can I start troubleshooting
this issue?</div>
</div>
</blockquote>
<br>
</div>
Are you talking about a windows sync agreement you set
up with ipa-replica-manage?<br>
If so, yes, the password sync is supposed to be two-way.<br>
Try this:<br>
turn on the replication log level <a href="http://port389.org/wiki/FAQ#Troubleshooting" target="_blank">http://port389.org/wiki/FAQ#Troubleshooting</a><br>
change your IPA password<br>
turn off the replication log level <a href="http://port389.org/wiki/FAQ#Troubleshooting" target="_blank">http://port389.org/wiki/FAQ#Troubleshooting</a><br>
see if you can use your new password in AD<br>
<br>
The 389 errors log in
/var/log/dirsrv/slapd-YOUR-DOMAIN/errors may contain a
clue.<br>
<br>
<blockquote type="cite">
<div>
<div dir="ltr">
<div><br>
</div>
<div>Thanks,<br clear="all">
<div>
<div dir="ltr"><br>
<br>
<br>
Steve Dainard<br>
Infrastructure Manager
<div>Miovision Technologies Inc.<br>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
<pre>_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>