[Freeipa-users] winsync agreement wipes IPA users
Rich Megginson
rmeggins at redhat.com
Wed Sep 19 23:03:46 UTC 2012
On 09/19/2012 04:55 PM, Steven Jones wrote:
> Hi,
>
>
> Sample of errors log,
>
> =========
> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program
> - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database
> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program
> - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database
> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv:
> successfully committed csn 504d01f7000000110000
> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389):
> State: stop_fatal_error -> stop_fatal_error
> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389):
> State: stop_fatal_error -> stop_fatal_error
> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
> ruv_add_csn_inprogress: successfully inserted csn 504d01f8000000110000
> into pending list
> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state
> information from entry
> uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to CSN
> 504d42c5000000040000
> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program
> - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database
> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program
> - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database
> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - ruv_update_ruv:
> successfully committed csn 504d01f8000000110000
> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389):
> State: stop_fatal_error -> stop_fatal_error
> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin -
> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389):
> State: stop_fatal_error -> stop_fatal_error
> =========
Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement?
>
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ------------------------------------------------------------------------
> *From:* Rich Megginson [rmeggins at redhat.com]
> *Sent:* Wednesday, 19 September 2012 12:32 a.m.
> *To:* Steven Jones
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>
> On 09/17/2012 07:10 PM, Steven Jones wrote:
>> Hi,
>>
>> I understand that I'll lose users that are cn=Staff_Admins,dc=etc
>>
>> So the Q is why I am losing users in the --win-subtree
>> cn=VUW_Staff,dc= etc
>
>
>
>>
>> This I dont understand....
>>
>> I have the -v already, anyway to make it very verbose?
>
> http://port389.org/wiki/FAQ#Troubleshooting
> Use the replication log level 8192
> I'd like to see the directory server errors log
> /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under
> the --win-subtree cn=VUW_Staff,dc= etc
>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ------------------------------------------------------------------------
>> *From:* Rich Megginson [rmeggins at redhat.com]
>> *Sent:* Tuesday, 18 September 2012 12:47 p.m.
>> *To:* Steven Jones
>> *Cc:* freeipa-users at redhat.com
>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>
>> On 09/17/2012 06:17 PM, Steven Jones wrote:
>>> Hi,
>>>
>>> The first time missed the --win-subtree settings so I wiped the
>>> admins in the IPA admin group and users as they were not in cn=users
>>> as per the bug. The second time as far as I can tell I specified
>>> the correct cn via win-subtree flag but I still appear to have lost
>>> the users in IPA.....now I expected to lose the admins but the loss
>>> of users as well confounds me.
>>>
>>> I did a ldapsearch as per checking and its seems to be saying the
>>> right folder/ou/cn but IPA is empty.
>>>
>>> Hence I was wondering if there was a log recording what the update
>>> was doing so I could try and figure out the mistake. Ive tried
>>> greping cant find any indication.
>>>
>>> I will re-try with -v, verbose.
>>
>> It is not clear from the manuals, but no matter what -win-subtree you
>> specify, winsync will search AD starting from the dc=domain suffix.
>> So, for example, if you have
>> cn=mystaff,cn=staff,dc=example,dc=com
>> and you specify
>> --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com"
>> winsync will still search starting from dc=example,dc=com and will
>> hit ticket/355 if there are any users outside of
>> cn=mystaff,cn=staff,dc=example,dc=com that have the same username as
>> a user in IPA.
>>
>>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>> *Sent:* Tuesday, 18 September 2012 11:37 a.m.
>>> *To:* Steven Jones
>>> *Cc:* freeipa-users at redhat.com
>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>
>>> On 09/17/2012 04:17 PM, Steven Jones wrote:
>>>> Hi,
>>>>
>>>> I just tried to do a winsync agreement with specifying the AD point
>>>> as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are
>>>> not in the users folder but the VUW_Staff folder (at the same
>>>> level) and it wiped all IPA users that are also in AD.
>>>
>>> Yes, this is what happens with https://fedorahosted.org/389/ticket/355
>>> #355 winsync should not delete entry that appears to be out of scope
>>>
>>>> While doing the actual update does this get verbosly logged
>>>> anywhere as opposed to "update in progress" dumped to the screen?
>>>> Something went badly wrong, I just dont know what.
>>>
>>> You are seeing something different than #355?
>>>
>>>>
>>>> :/
>>>>
>>>> regards
>>>>
>>>> Steven Jones
>>>>
>>>> Technical Specialist - Linux RHCE
>>>>
>>>> Victoria University, Wellington, NZ
>>>>
>>>> 0064 4 463 6272
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120919/3bddb055/attachment.htm>
More information about the Freeipa-users
mailing list