[Fedora-directory-users] Windows sync not syncing users with passwords

[William Francis]

I have FDS installed on FC3 and configured to talk to a SBS AD server.

I believe all is well as far as SSL certificates go and if I leave the 
"Sync New Windows Users" option off in my Windows replication agreement, 
I can readily complete full resyncs and incremental. All of my 
non-regular users (mostly Group and the the likes of the (disabled) 
Guest account) show up in my FDS directory. No users with passwords show 
up, though I'm not suggesting that's the reason they don't show up, but 
that's the only thing in common I can imagine.

The AD user that I have the replication agreement setup as is an 
Administrator, and if I bind to my AD tree via LDAP with another tool I 
can see all the users just fine.

I further believe that I likely have the Password Sync Service setup 
correctly, as again the user mentioned in the agreement is a valid user 
and from an external browsing tool works fine. I've used certutil.exe -L 
and verified the certs in the Redhat Password sync directory are correct 
(I have both CA and regular cert in there) and trusted.

If I install from scratch and do not enable the syncing of all users, 
complete and incremental updates work just fine. I'm not 100% certain I 
have my entire FDS configured correctly, but thanks to many people in 
IRC (notably richm!) I believe it's probably ok. I'm very willing to 
review possible areas for mistakes there.

However, once I enable the 'Sync New Windows Uses' option, updates never 
finish, the load as shown in top(1) is at 100% usage, and I have to kill 
the slapd process with -9 to get it to stop (through it's still 
responsive, but somehow seems stuck on the replication it has not 
completed) and I see this in strace

poll([{fd=24, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, 
events=POLLIN}], 3, 250) = 0 gettimeofday({1120864747, 807852}, NULL) = 0

over and over again.

Any ideas? I can find me in the IRC channel as 'rasp'

thank you