<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 10/23/2014 10:26 AM, Dmitri Pal wrote:<br> </div> <blockquote cite="mid:54492C28.3080302@redhat.com" type="cite"> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> <div class="moz-cite-prefix">On 10/23/2014 08:19 AM, Сапегин Валерий wrote:<br> </div> <blockquote cite="mid:CAOBEyk37qGr0sVgZQQGr_=UNiN3JMEMYM5mtpGS6cFFDnBzG2w@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div> <div> <div> <div> Hello!<br> <br> </div> I tryed to configure synchronization between FreeIPA and Windows AD 2012. In the thirst time accounts from AD synchronization properly but next schedule after 5 min is not work and in error log I see the following errors:<br> <br> # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors<br> [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin - agmt="cn=<a moz-do-not-send="true" href="http://meTocsbi-it-dc01.csbigroup.ru">meTocsbi-it-dc01.csbigroup.ru</a>" (csbi-it-dc01:389): Replica has no update vector. It has never been initialized.<br> [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin - agmt="cn=<a moz-do-not-send="true" href="http://meTocsbi-it-dc01.csbigroup.ru">meTocsbi-it-dc01.csbigroup.ru</a>" (csbi-it-dc01:389): Replica has no update vector. It has never been initialized.<br> [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin - agmt="cn=<a moz-do-not-send="true" href="http://meTocsbi-it-dc01.csbigroup.ru">meTocsbi-it-dc01.csbigroup.ru</a>" (csbi-it-dc01:389): Replica has no update vector. It has never been initialized.<br> <br> </div> <div>Thirst synchronization out<br> <br> Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to certificate database for <a moz-do-not-send="true" href="http://ipa.test-csbi-its.ru">ipa.test-csbi-its.ru</a><br> ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru<br> The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru<br> Windows PassSync entry exists, not resetting password<br> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .<br> ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0<br> ipa: INFO: Agreement is ready, starting replication . . .<br> Starting replication, please wait until this has completed.<br> Update in progress, 13 seconds elapsed<br> [<a moz-do-not-send="true" href="http://ipa.test-csbi-its.ru">ipa.test-csbi-its.ru</a>] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server]<br> </div> </div> </div> </div> </div> </blockquote> <br> Can you connect from this replica to AD using ldapsearch?<br> </blockquote> <br> specifically<br> $ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -ZZ -h fqdn.of.windows.machine -D "cn=administrator,cn=users,dc=csbigroup,dc=ru" -w "windows admin password" -s base -b "cn=users,dc=csbigroup,dc=ru"<br> <br> <blockquote cite="mid:54492C28.3080302@redhat.com" type="cite"> <br> <blockquote cite="mid:CAOBEyk37qGr0sVgZQQGr_=UNiN3JMEMYM5mtpGS6cFFDnBzG2w@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div> <div> <div><br> Failed to start replication<br> <br> <br> </div> <div><br> </div> FreeIPA server version 3.3.3<br> </div> OS version Centos 7<br> </div> AD Domain 2012<br> <br> </div> <div>Can you help me to resolve this problem?<br> </div> <div><br> </div> <div> <div> <div> <div> <div> <div> <div> <div dir="ltr">Best regards, Valeriy<br> </div> </div> </div> </div> </div> </div> </div> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> </blockquote> <br> </body> </html>