[Freeipa-users] Sync with AD error

Rob Crittenden rcritten at redhat.com
Fri Mar 11 21:19:30 UTC 2011 

Sigbjørn Lie wrote:
> On 03/11/2011 09:16 PM, Rob Crittenden wrote:
>> Sigbjørn Lie wrote:
>>> Hi,
>>>
>>> I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a
>>> sync agreement with Active Directory.
>>>
>>> Added CA certificate /root/testing-ca.cer to certificate database for
>>> ipasrv01.ix.testing.com
>>> ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com
>>> The user for the Windows PassSync service is
>>> uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com
>>> Windows PassSync entry exists, not resetting password
>>> ipa: INFO: Added new sync agreement, waiting for it to become ready .
>>> . .
>>> ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica
>>> acquired successfully: Incremental update succeeded: start:
>>> 20110311195207Z: end: 20110311195207Z
>>> ipa: INFO: Agreement is ready, starting replication . . .
>>> ipa: INFO: Failed to create public entry for winsync replica
>>> Starting replication, please wait until this has completed.
>>> Update succeeded
>>> Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com'
>>>
>>>
>>> Now I can't list the sync agreements. All I get is:
>>>
>>> # ipa-replica-manage list
>>> unexpected error: * not found
>>>
>>> Any ideas?
>>
>> Can you try running /us/sbin/ipa-ldap-updater?
>>
>> The problem is this didn't run at install so the spot in the DIT to
>> store windows replication agreement info wasn't created, so it
>> couldn't be added (the Failed to create public entry for winsync
>> replica part).
>>
>> Once you've run ipa-ldap-updater you can add the info with something
>> like:
>>
>> ldapmodify -x -D 'cn=directory manager' -W
>> dn:
>> cn=addc01.ad.testing.com,cn=replicas,cn=ipa,cn=etc,dc=ix,dc=testing,dc=com
>>
>> changetype: add
>> objectclass: nsContainer
>> objectclass: ipaConfigObject
>> cn: addc01.ad.testing.com
>> ipaConfigString: winsync:ipasrv01.ix.testing.com
>> <add an extra RETURN>
>>
>> ^D to quit
>>
> Hi,
>
> Thank you. I tried this, the ipa-ldap-updater script updated and created
> quite a few entries and exited without any errors. I then added the info
> as you suggested, also without any errors. However listing replicas
> still doesn't work. Actually, running force-sync or re-initialize yells
> exactly the same error message.
>
> # ipa-replica-manage list
> unexpected error: * not found

Hmm, can you provide the output of (you can send privately if you want):

kinit admin
ldapsearch -Y GSSAPI -b  cn=masters,cn=ipa,cn=etc,dc=ix,dc=testing,dc=com

and

ldapsearch -Y GSSAPI -b  cn=replicas,cn=ipa,cn=etc,dc=ix,dc=testing,dc=com

There must be an additional entry that wasn't added but I haven't 
figured out what it is yet.

rob

More information about the Freeipa-users mailing list