<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/25/2013 04:57 PM, Rich Megginson
wrote:<br>
</div>
<blockquote cite="mid:5293E3F1.3010002@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 11/25/2013 11:51 AM, Emil
Petersson wrote:<br>
</div>
<blockquote
cite="mid:EDC9EBD9-3A79-478A-ACE5-20D493F21857@melt.se"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
On 25 Nov 2013, at 17:21, Rich Megginson <<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>
wrote:<br>
<div><br class="Apple-interchange-newline">
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000" style="font-family:
Helvetica; font-size: 15px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;">
<div class="moz-cite-prefix">On 11/25/2013 08:14 AM, Emil
Petersson wrote:<br>
</div>
<blockquote cite="mid:5293694E.9060606@melt.se"
type="cite">Hi,<br>
<br>
I'm running FreeIPA 3.0 under RHEL6.4. I'm seeing some
unexpected behaviour with winsync replication.<br>
<br>
1. I have a working winsync agreement, and users are
synced correctly.<br>
<br>
2. If a user already exists in in IPA when I sync it
from AD, I'm seeing the following in the dirsrv error
logs:<br>
<br>
[25/Nov/2013:14:29:03 +0000] NSMMReplicationPlugin -
windows_update_local_entry: failed to modify entry
uid=username,cn=users,cn=accounts,dc=domain,dc=net -
error 21:Invalid syntax<br>
<br>
I assume this is because the user already exists in
dirsrv? Fine.<br>
</blockquote>
<br>
No. Error 21 is Invalid Syntax. This means the format of
the data in the attribute in AD is not correct for the
given syntax. For example, if the syntax is Integer, this
means the data should be a valid integer. However, AD
allows data that violates LDAP syntax.<br>
<br>
Can you post the data from the AD entry that corresponds
to uid=username,cn=users,cn=accounts,dc=domain,dc=net?
Please be sure to obscure any sensitive data. I'd like to
identify the data that is causing this problem.<br>
</div>
</blockquote>
<div><br>
</div>
<div>Certainly, here goes:</div>
<div><br>
</div>
<div>
<div>dn: CN=Firstname
Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=</div>
<div> domain,DC=com</div>
<div>objectClass: top</div>
<div>objectClass: person</div>
<div>objectClass: organizationalPerson</div>
<div>objectClass: user</div>
<div>cn: Firstname Lastname</div>
<div>sn: Lastname</div>
<div>title: Sysadmin</div>
<div>description: Employee</div>
<div>physicalDeliveryOfficeName: XX-XX-XX</div>
<div>telephoneNumber: +00 00 000 0</div>
<div>facsimileTelephoneNumber: +00 00 000 0</div>
<div>givenName: Firstname</div>
<div>distinguishedName: CN=Firstname
Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=O</div>
<div> rganization,DC=domain,DC=com</div>
<div>instanceType: 4</div>
<div>whenCreated: 20110321122858.0Z</div>
<div>whenChanged: 20131120104224.0Z</div>
<div>displayName: Firstname Lastname</div>
<div>uSNCreated: 76590</div>
<div> ngame,DC=com</div>
<div>memberOf:
CN=All,OU=OrgGroups,OU=Organization,DC=domain,DC=com</div>
<div>memberOf:
CN=sysadmins,OU=OrgGroups,OU=Organization,DC=domain,DC=com</div>
<div>uSNChanged: 66378160</div>
<div>department: Infrastructure</div>
<div>company: Company name</div>
<div>homeMTA: CN=Microsoft MTA,CN=MBX,CN=Servers,CN=Exchange
Administrative Group (</div>
<div> FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=globalmail,CN=Microsoft Exchange</div>
<div> ,CN=Services,CN=Configuration,DC=domain,DC=com</div>
<div>proxyAddresses: <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="SMTP:first.last@">SMTP:first.last@</a><a
moz-do-not-send="true" href="http://domain.com">domain.com</a></div>
<div>proxyAddresses: <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="smtp:first.last@">smtp:first.last@</a><a
moz-do-not-send="true" href="http://domain2.com">domain2.com</a></div>
<div>proxyAddresses: <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="smtp:first.last@">smtp:first.last@</a><a
moz-do-not-send="true" href="http://domain3.com">domain3.com</a></div>
<div>proxyAddresses: <a moz-do-not-send="true"
href="sip:first.last@domain.com">sip:first.last@domain.com</a></div>
<div>proxyAddresses: X400:C=SE;A=
;P=globalmail;O=Exchange;S=Lastname;G=Firstname;</div>
<div>homeMDB: CN=DB3,CN=SG03 -
2GB,CN=InformationStore,CN=MBX,CN=Servers,CN=Exchang</div>
<div> e Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=globalma</div>
<div> il,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=com</div>
<div>garbageCollPeriod: 1209600</div>
<div>mDBUseDefaults: TRUE</div>
<div>extensionAttribute8: Companyname</div>
<div>mailNickname: username</div>
<div>protocolSettings:: SFRUUMKnMcKnMcKnwqfCp8KnwqfCpw==</div>
<div>protocolSettings:: T1dBwqcx</div>
<div>internetEncoding: 0</div>
<div>name: Firstnam Lastname</div>
<div>objectGUID:: pDdL7yY7gEuqRdQLTjLo0w==</div>
<div>userAccountControl: 512</div>
<div>badPwdCount: 0</div>
<div>codePage: 0</div>
<div>countryCode: 0</div>
<div>homeDirectory: <a moz-do-not-send="true"
href="smb://path/to/home">\\path\to\home</a></div>
<div>homeDrive: H:</div>
<div>badPasswordTime: 130295283826410995</div>
<div>lastLogoff: 0</div>
<div>lastLogon: 130297464093469882</div>
<div>pwdLastSet: 130294130189116476</div>
<div>primaryGroupID: 513</div>
<div>objectSid:: AQUAAAoiadjfojdfojsodijfQkAH5TsrAA==</div>
<div>accountExpires: 0</div>
<div>logonCount: 6909</div>
<div>sAMAccountName: username</div>
<div>sAMAccountType: 805306368</div>
<div>showInAddressBook: CN=Default Global Address
List,CN=All Global Address Lists,</div>
<div> CN=Address Lists Container,CN=globalmail,CN=Microsoft
Exchange,CN=Services,CN</div>
<div> =Configuration,DC=domain,DC=com</div>
<div>showInAddressBook: CN=All Users,CN=All Address
Lists,CN=Address Lists Containe</div>
<div> r,CN=globalmail,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,</div>
<div> DC=com</div>
<div>legacyExchangeDN: /o=globalmail/ou=Exchange
Administrative Group (FYDIBOHF23SP</div>
<div> DLT)/cn=Recipients/cn=username</div>
<div>userPrincipalName: <a moz-do-not-send="true"
href="mailto:first@domain.com">first@domain.com</a></div>
<div>lockoutTime: 0</div>
<div>ipPhone: +00 00 00 00</div>
<div>objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com</div>
<div>dSCorePropagationData: 20131118102944.0Z</div>
<div>dSCorePropagationData: 20131118102934.0Z</div>
<div>dSCorePropagationData: 20130313150036.0Z</div>
<div>dSCorePropagationData: 20120821144903.0Z</div>
<div>dSCorePropagationData: 16010101181216.0Z</div>
<div>lastLogonTimestamp: 130294177442871790</div>
<div>textEncodedORAddress: c=XX;a=
;p=globalmail;o=Exchange;s=Lastname;g=Firstname;</div>
<div>mail: <a moz-do-not-send="true"
href="mailto:first.last@domain.com">first.last@domain.com</a></div>
<div>manager: CN=Manager
Name,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=o</div>
<div> ngame,DC=com</div>
<div>mobile:: KzQ2NzI3mjMEMTEwwqAJ</div>
</div>
</div>
</blockquote>
</blockquote>
<br>
I think this may be the problem. mobile contains non printable
characters:<br>
$ python<br>
>>> import base64<br>
>>> base64.b64decode('KzQ2NzI3mjMEMTEwwqAJ')<br>
'+46727\x9a3\x04110\xc2\xa0\t'<br>
<br>
Looks like the mobile phone number contains utf8 characters. It
must not:<br>
/* Per RFC4517:<br>
*<br>
* TelephoneNumber = PrintableString<br>
* PrintableString = 1*PrintableCharacter<br>
*/<br>
<br>
Unfortunately, AD syntax checking leaves a lot to be desired, so it
allows this and other bogus data. IPA/389 is much stricter.<br>
<br>
<br>
<blockquote cite="mid:5293E3F1.3010002@redhat.com" type="cite">
<blockquote
cite="mid:EDC9EBD9-3A79-478A-ACE5-20D493F21857@melt.se"
type="cite">
<div>
<div>
<div>thumbnailPhoto::
/9j/4QAYRXhpZgAASUkqAAgAAAAAAAAAAAAAAP/sABFEdWNreQABAAQAAABkA</div>
<div> -snip-</div>
<div> uaC3IbWlp5cQtpnwnCmjkd9LrDoNFIUDThZwzyrwJbl21//9k=</div>
<div>msExchHomeServerName: /o=globalmail/ou=Exchange
Administrative Group (FYDIBOHF</div>
<div> 23SPDLT)/cn=Configuration/cn=Servers/cn=MBX</div>
<div>msExchMailboxSecurityDescriptor::
AQAUjBQAAAAgAAAALAAAAFwAAAABAQAAAAAABQoAAAAB</div>
<div> -snip-</div>
<div> AQAAAAAABQoAAAACADAAAgAAAALQFAADAA0AAQEAAAAAAAEAAAAAAtoUAGsBDQABAQAAAAAAAQAAA</div>
<div>msExchUserAccountControl: 0</div>
<div>msExchMailboxGuid:: uWv8V7HNHUiyda0z/FRc+w==</div>
<div>msExchPoliciesIncluded:
{A64061C3-9598-43A1-9125-B5C682DEDA40},{26491CFC-9E50-</div>
<div> 4857-861B-0CB8DF22B5D7}</div>
<div>msRTCSIP-Line: TEL:+46812136492</div>
<div>msRTCSIP-DeploymentLocator: SRV:</div>
<div>msExchUserCulture: sv-SE,en-US</div>
<div>msExchMobileMailboxFlags: 1</div>
<div>msExchRecipientDisplayType: 1073741824</div>
<div>msExchVersion: 4535486012416</div>
<div>msRTCSIP-FederationEnabled: TRUE</div>
<div>msRTCSIP-PrimaryUserAddress: <a moz-do-not-send="true"
href="sip:first.last@domain.com">sip:first.last@domain.com</a></div>
<div>msExchRecipientTypeDetails: 1</div>
<div>msRTCSIP-InternetAccessEnabled: TRUE</div>
<div>msRTCSIP-UserPolicies: 0=481565286</div>
<div>msExchMDBRulesQuota: 64</div>
<div>msRTCSIP-OptionFlags: 385</div>
<div>msRTCSIP-UserEnabled: TRUE</div>
<div>msRTCSIP-PrimaryHomeServer: CN=Lc
Services,CN=Microsoft,CN=1:1,CN=Pools,CN=RTC</div>
<div> Service,CN=Services,CN=Configuration,DC=domain,DC=com</div>
</div>
<div><br>
</div>
<div>Please note that the same user would sync OK if I hadn't
attempted to sync it earlier when the duplicate IPA entry
was in place. This is the strangest part... once a user is
synced and there's a duplicate in place, we get error 21 and
after that the user will be ignored in future syncs. Even if
we recreate the agreement.</div>
<div><br>
</div>
<div>Question, if a duplicate entry exists in IPA, what's the
expected behaviour? Should the user get synced anyway, or
should it fail?</div>
</div>
</blockquote>
<br>
It should get synced - it should try to update the entry with any
missing or out-of-date information.<br>
<br>
<blockquote
cite="mid:EDC9EBD9-3A79-478A-ACE5-20D493F21857@melt.se"
type="cite">
<div>
<div><br>
</div>
<div>Please let me know if you need anything else. Setting
nsslapd-errorlog-level: 8192 more or less says the same
thing... error 21, and then it just moves on. I could
provide you with the debug though, if wanted.</div>
</div>
</blockquote>
<br>
Yes, please.<br>
<br>
<blockquote
cite="mid:EDC9EBD9-3A79-478A-ACE5-20D493F21857@melt.se"
type="cite">
<div><br>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000" style="font-family:
Helvetica; font-size: 15px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;"><br>
<blockquote cite="mid:5293694E.9060606@melt.se"
type="cite"><br>
3. Then I remove the corresponding user from IPA and
force another sync from AD, hoping that the user will
sync properly this time, and thus have its ntUser*
attributes created:<br>
<br>
[25/Nov/2013:14:29:09 +0000] NSMMReplicationPlugin -
agmt="cn=<a moz-do-not-send="true"
href="http://metoad.domain.com/">meToAD.domain.com</a>"
(dc03:389): map_entry_dn_inbound: looking for local
entry by uid [username]<br>
[25/Nov/2013:14:29:09 +0000] - Windows sync entry:
Adding new local entry dn:
uid=username,cn=users,cn=accounts,dc=domain,dc=net<br>
[25/Nov/2013:14:29:09 +0000] NSMMReplicationPlugin -
add operation of entry
uid=username,cn=users,cn=accounts,dc=domain,dc=net
returned: 21<br>
<br>
It's like something (either AD or IPA) remembers that a
user have failed once, and then refuse to sync it any
more. Removing the winsync agreement and recreating it
completely doesn't help. The user is still not synced,
and leaves error code 21.<br>
<br>
Anyone have any idea on why this is, and how I can sync
the user even though it has failed once?<br>
</blockquote>
</div>
</blockquote>
</div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</body>
</html>