[Freeipa-users] FreeIPA password sync one direction only (Windows DC -> IPA)
Rich Megginson
rmeggins at redhat.com
Tue May 21 19:22:20 UTC 2013
On 05/21/2013 11:58 AM, Steve Dainard wrote:
> So over the weekend, with some serious tinkering I managed to brick
> that install beyond recovery.
>
> I've reinstalled, setup freeipa as a standalone CA with dns, and did
> the initial winsync agreement.
>
> After the initial agreement was synced I modified the
> nsds7WindowsReplicaSubtree entry
How? ldapmodify?
> to reflect the AD group I want users sync'd from: CN=Shared Login,
> CN=Users,DC=miovision,DC=corp.
Why didn't you just specify "CN=Shared Login,
CN=Users,DC=miovision,DC=corp" initially with ipa-replica-manage
--win-subtree?
> Note when attempting to do an initial ldapsearch I got a 'can't
> connect to LDAP server' message,
Can you provide the exact ldapsearch command line you tried?
> and had to manually start dirsrv... this is probably already a bad sign.
Was dirsrv running after you modified the nsds7WindowsReplicaSubtree entry?
Did dirsrv crash? Do see any "Detected Disorderly Shutdown" messages in
your errors logs?
>
> Although the documentation mentions changes will be applied on next
> sync when 'nsds7WindowsReplicaSubtree' is changed, they do not.
Did you use ldapmodify to change it?
> Also if I try to include the --win-subtree=CN=Shared
> Login,CN=Users,DC=miovision,DC=corp argument I get an invalid password
> message this might be because I didn't quote the DN though.
Yes, that's likely.
> So I then ran ipa-replica-manage re-initialize --from dc1.miovision.corp.
>
> I now have a screen session with an incredible amount of "Update in
> progress" lines which has been running for about 30 minutes now
> (triggered at 12:58:56). I tried this on the weekend as well, and the
> process ran overnight so I killed it and had to start from scratch again.
>
> The dirsrv error log is:
> [21/May/2013:12:24:01 -0400] - slapd started. Listening on All
> Interfaces port 389 for LDAP requests
> [21/May/2013:12:24:01 -0400] - Listening on All Interfaces port 636
> for LDAPS requests
> [21/May/2013:12:24:01 -0400] - Listening on
> /var/run/slapd-MIOVISION-LINUX.socket for LDAPI requests
> [21/May/2013:12:50:13 -0400] - slapd shutting down - signaling
> operation threads
> [21/May/2013:12:50:13 -0400] - slapd shutting down - closing down
> internal subsystems and plugins
> [21/May/2013:12:50:13 -0400] - Waiting for 4 database threads to stop
> [21/May/2013:12:50:13 -0400] - All database threads now stopped
> [21/May/2013:12:50:13 -0400] - slapd stopped.
> [21/May/2013:12:50:16 -0400] - 389-Directory/1.2.11.15
> <http://1.2.11.15> B2013.105.2259 starting up
> [21/May/2013:12:50:16 -0400] schema-compat-plugin - warning: no
> entries set up under cn=computers, cn=compat,dc=miovision,dc=linux
> [21/May/2013:12:50:16 -0400] schema-compat-plugin - warning: no
> entries set up under cn=ng, cn=compat,dc=miovision,dc=linux
> [21/May/2013:12:50:16 -0400] schema-compat-plugin - warning: no
> entries set up under ou=sudoers,dc=miovision,dc=linux
> [21/May/2013:12:50:16 -0400] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=miovision,dc=linux--no CoS Templates found,
> which should be added before the CoS Definition.
> [21/May/2013:12:50:16 -0400] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=miovision,dc=linux--no CoS Templates found,
> which should be added before the CoS Definition.
> [21/May/2013:12:50:16 -0400] - slapd started. Listening on All
> Interfaces port 389 for LDAP requests
> [21/May/2013:12:50:16 -0400] - Listening on All Interfaces port 636
> for LDAPS requests
> [21/May/2013:12:50:16 -0400] - Listening on
> /var/run/slapd-MIOVISION-LINUX.socket for LDAPI requests
> [21/May/2013:12:50:18 -0400] - Entry
> "cn=meTodc1.miovision.corp,cn=replica,cn=dc\3Dmiovision\2Cdc\3Dlinux,cn=mapping
> tree,cn=config" -- attribute "nsDS5ReplicatedAttributeListTotal" not
> allowed
> [21/May/2013:12:50:18 -0400] NSMMReplicationPlugin -
> agmt="cn=meTodc1.miovision.corp" (dc1:389): Replica has no update
> vector. It has never been initialized.
> [21/May/2013:12:50:18 -0400] NSMMReplicationPlugin -
> agmt="cn=meTodc1.miovision.corp" (dc1:389): Replica has no update
> vector. It has never been initialized.
> [21/May/2013:12:50:18 -0400] NSMMReplicationPlugin -
> agmt="cn=meTodc1.miovision.corp" (dc1:389): Replica has no update
> vector. It has never been initialized.
> [21/May/2013:12:50:20 -0400] NSMMReplicationPlugin - Beginning total
> update of replica "agmt="cn=meTodc1.miovision.corp" (dc1:389)".
> [21/May/2013:12:50:21 -0400] - Entry
> "uid=krbtgt,cn=users,cn=accounts,dc=miovision,dc=linux" missing
> attribute "sn" required by object class "person"
> [21/May/2013:12:50:21 -0400] - Entry
> "uid=krbtgt_18424,cn=users,cn=accounts,dc=miovision,dc=linux" missing
> attribute "sn" required by object class "person"
> [21/May/2013:12:50:21 -0400] - Entry
> "uid=IUSR_MIOFILES,cn=users,cn=accounts,dc=miovision,dc=linux" missing
> attribute "sn" required by object class "person"
> [21/May/2013:12:50:21 -0400] - Entry
> "uid=IWAM_MIOFILES,cn=users,cn=accounts,dc=miovision,dc=linux" missing
> attribute "sn" required by object class "person"
> [21/May/2013:12:50:21 -0400] - Entry
> "uid=backup,cn=users,cn=accounts,dc=miovision,dc=linux" missing
> attribute "sn" required by object class "person"
> [21/May/2013:12:50:21 -0400] - Entry
> "uid=Guest,cn=users,cn=accounts,dc=miovision,dc=linux" missing
> attribute "sn" required by object class "person"
> [21/May/2013:12:50:22 -0400] - Entry
> "uid=ldap-auth,cn=users,cn=accounts,dc=miovision,dc=linux" missing
> attribute "sn" required by object class "person"
> [21/May/2013:12:50:22 -0400] - Entry
> "uid=Administrator,cn=users,cn=accounts,dc=miovision,dc=linux" missing
> attribute "sn" required by object class "person"
> [21/May/2013:12:50:22 -0400] NSMMReplicationPlugin - Finished total
> update of replica "agmt="cn=meTodc1.miovision.corp" (dc1:389)". Sent 2
> entries.
> [21/May/2013:12:50:23 -0400] - slapd shutting down - signaling
> operation threads
> [21/May/2013:12:50:23 -0400] - slapd shutting down - closing down
> internal subsystems and plugins
> [21/May/2013:12:50:23 -0400] - Waiting for 4 database threads to stop
> [21/May/2013:12:50:23 -0400] - All database threads now stopped
> [21/May/2013:12:50:23 -0400] - slapd stopped.
> [21/May/2013:12:54:14 -0400] - 389-Directory/1.2.11.15
> <http://1.2.11.15> B2013.105.2259 starting up
> [21/May/2013:12:54:14 -0400] schema-compat-plugin - warning: no
> entries set up under cn=computers, cn=compat,dc=miovision,dc=linux
> [21/May/2013:12:54:14 -0400] schema-compat-plugin - warning: no
> entries set up under cn=ng, cn=compat,dc=miovision,dc=linux
> [21/May/2013:12:54:14 -0400] schema-compat-plugin - warning: no
> entries set up under ou=sudoers,dc=miovision,dc=linux
> [21/May/2013:12:54:14 -0400] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=miovision,dc=linux--no CoS Templates found,
> which should be added before the CoS Definition.
> [21/May/2013:12:54:14 -0400] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=miovision,dc=linux--no CoS Templates found,
> which should be added before the CoS Definition.
> [21/May/2013:12:54:14 -0400] - slapd started. Listening on All
> Interfaces port 389 for LDAP requests
> [21/May/2013:12:54:14 -0400] - Listening on All Interfaces port 636
> for LDAPS requests
> [21/May/2013:12:54:14 -0400] - Listening on
> /var/run/slapd-MIOVISION-LINUX.socket for LDAPI requests
> [21/May/2013:12:58:56 -0400] NSMMReplicationPlugin - Beginning total
> update of replica "agmt="cn=meTodc1.miovision.corp" (dc1:389)".
>
> Am I encountering this issue because of the win-subtree setting?
What issue?
> Is it considered bad practice to set a group like this?
It should be fine.
> I'm not sure what else I would do, as this is the only group which
> contains all of my users, and they reside in their respective OU's
> instead of Users CN.
It should be fine.
>
> I've since enabled replication logging, but addtional information is
> minimal:
> [21/May/2013:12:58:56 -0400] NSMMReplicationPlugin - Beginning total
> update of replica "agmt="cn=meTodc1.miovision.corp" (dc1:389)".
> [21/May/2013:13:54:14 -0400] NSMMReplicationPlugin - Running Dirsync
So it's hung here?
>
> #top shows ns-slapd maxing out the CPU.
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 5252 dirsrv 20 0 1177m 33m 8464 S 99.8 3.3 57:17.08 ns-slapd
Can you do a pstack of the process?
pstack 5252
>
>
>
>
> Steve Dainard
> Infrastructure Manager
> Miovision Technologies Inc.
> Phone: 519-513-2407 x250
>
>
> On Fri, May 17, 2013 at 2:09 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> On 05/17/2013 12:03 PM, Steve Dainard wrote:
>> Thanks for getting me on the right track.
>>
>> Yes to the Windows sync agreement.
>>
>> I'm not sure if this is related to password sync'ing, but it
>> looks like a sync operation is triggering (and failing) every 4
>> seconds on one of my users:
>>
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389): State: start_backoff
>> -> backoff
>> [17/May/2013:13:28:42 -0400] - acquire_replica, supplier RUV:
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - supplier:
>> {replicageneration} 50802036000000030000
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - supplier:
>> {replica 3 ldap://ipa1.miovision.linux:389} 50802036000100030000
>> 51966776000100030000 51966776
>> [17/May/2013:13:28:42 -0400] - acquire_replica, consumer RUV:
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - consumer:
>> {replicageneration} 50802036000000030000
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - consumer:
>> {replica 3 ldap://ipa1.miovision.linux:389} 50802036000100030000
>> 515ad91f000000030000 00000000
>> [17/May/2013:13:28:42 -0400] - acquire_replica, supplier RUV is newer
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389): Cancelling linger on
>> the connection
>> [17/May/2013:13:28:42 -0400] - _csngen_adjust_local_time: gen
>> state before 519668c60001:1368811718:0:0
>> [17/May/2013:13:28:42 -0400] - _csngen_adjust_local_time: gen
>> state after 519668ca0000:1368811722:0:0
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389): State: backoff ->
>> sending_updates
>> [17/May/2013:13:28:42 -0400] - csngen_adjust_time: gen state
>> before 519668ca0001:1368811722:0:0
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - changelog
>> program - _cl5GetDBFile: found DB object f6d910 for database
>> /var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4
>> [17/May/2013:13:28:42 -0400] - _cl5PositionCursorForReplay
>> (agmt="cn=meTodc1.miovision.corp" (dc1:389)): Consumer RUV:
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389): {replicageneration}
>> 50802036000000030000
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389): {replica 3
>> ldap://ipa1.miovision.linux:389} 50802036000100030000
>> 515ad91f000000030000 00000000
>> [17/May/2013:13:28:42 -0400] - _cl5PositionCursorForReplay
>> (agmt="cn=meTodc1.miovision.corp" (dc1:389)): Supplier RUV:
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389): {replicageneration}
>> 50802036000000030000
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389): {replica 3
>> ldap://ipa1.miovision.linux:389} 50802036000100030000
>> 51966776000100030000 51966776
>> [17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp"
>> (dc1:389) - clcache_get_buffer: found thread private buffer cache
>> 7f30bc061d00
>> [17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp"
>> (dc1:389) - clcache_get_buffer: _pool is 2e7cc10
>> _pool->pl_busy_lists is 7f30bc050790
>> _pool->pl_busy_lists->bl_buffers is 7f30bc061d00
>> [17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp"
>> (dc1:389) - session start: anchorcsn=515ad91f000000030000
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - changelog
>> program - agmt="cn=meTodc1.miovision.corp" (dc1:389): CSN
>> 515ad91f000000030000 found, position set for replay
>> [17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp"
>> (dc1:389) - load=1 rec=1 csn=515ae3f4000000030000
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389):
>> windows_replay_update: Looking at modify operation local
>> dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
>> (ours,user,not group)
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389):
>> map_entry_dn_outbound: looking for AD entry for DS
>> dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
>> guid="ba17f9770e0c814cb9eea9df2d4df61a"
>> [17/May/2013:13:28:42 -0400] - Calling windows entry search
>> request plugin
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - Could not
>> retrieve entry from Windows using search base
>> [<GUID=ba17f9770e0c814cb9eea9df2d4df61a>] scope [0] filter
>> [(objectclass=*)]: error 1:Operations error
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389):
>> map_entry_dn_outbound: return code -1 from search for AD entry
>> dn="<GUID=ba17f9770e0c814cb9eea9df2d4df61a>" or dn="(null)"
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389):
>> map_entry_dn_outbound: entry not found - rc -1
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389):
>> windows_replay_update: Processing modify operation local
>> dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
>> remote dn="<GUID=ba17f9770e0c814cb9eea9df2d4df61a>"
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389):
>> map_entry_dn_outbound: looking for AD entry for DS
>> dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
>> guid="ba17f9770e0c814cb9eea9df2d4df61a"
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389):
>> map_entry_dn_outbound: looking for AD entry for DS
>> dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
>> username="jkeller"
>> [17/May/2013:13:28:42 -0400] - Calling windows entry search
>> request plugin
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - Could not
>> retrieve entry from Windows using search base
>> [dc=miovision,dc=corp] scope [2] filter
>> [(samAccountName=jkeller)]: error 1:Operations error
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389):
>> map_entry_dn_outbound: entry not found - rc -1
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389):
>> map_entry_dn_outbound: failed to fetch entry from AD:
>> dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux", err=-1
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389):
>> windows_replay_update: update password returned 1
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389): Consumer failed to
>> replay change (uniqueid cd3be819-21c711e2-96aaaa0d-17c9983f, CSN
>> 515ae3f4000000030000): Operations error. Will retry later.
>> [17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp"
>> (dc1:389) - session end: state=0 load=1 sent=1 skipped=0
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389): Beginning linger on
>> the connection
>> [17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389): State:
>> sending_updates -> start_backoff
>>
>>
>>
>> Here's the output of an ldapsearch for the user jkeller:
>>
>> #/usr/bin/ldapsearch -h dc1.miovision.corp -D
>> "ldap-auth at miovision.corp" <mailto:ldap-auth at miovision.corp> -W
>> -b "dc=miovision,dc=corp" '(samAccountName=jkeller)' cn
>> samAccountName
>>
>> # Joel Keller, 01Engineering, miovision.corp
>> dn: CN=Joel Keller,OU=01Engineering,DC=miovision,DC=corp
>> cn: Joel Keller
>> sAMAccountName: jkeller
>>
>>
>>
>> When I change my password on the IPA server, it looks like the
>> change is queued:
>>
>> [17/May/2013:13:53:48 -0400] - _csngen_adjust_local_time: gen
>> state before 51966eab0001:1368813227:0:0
>> [17/May/2013:13:53:48 -0400] - _csngen_adjust_local_time: gen
>> state after 51966eac0000:1368813228:0:0
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
>> ruv_add_csn_inprogress: successfully inserted csn
>> 51966eac000000030000 into pending list
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - Purged state
>> information from entry
>> uid=sdainard,cn=users,cn=accounts,dc=miovision,dc=linux up to CSN
>> 518d33f90007000300
>> 00
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - changelog
>> program - _cl5GetDBFileByReplicaName: found DB object f6d910 for
>> database /var/lib/dirsrv/slapd-MIOVISION-LINU
>> X/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - changelog
>> program - _cl5GetDBFileByReplicaName: found DB object f6d910 for
>> database /var/lib/dirsrv/slapd-MIOVISION-LINU
>> X/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
>> ruv_update_ruv: successfully committed csn 51966eac000000030000
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
>> ruv_add_csn_inprogress: successfully inserted csn
>> 51966eac000100030000 into pending list
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - Purged state
>> information from entry
>> uid=sdainard,cn=users,cn=accounts,dc=miovision,dc=linux up to CSN
>> 518d342c0000000300
>> 00
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - changelog
>> program - _cl5GetDBFileByReplicaName: found DB object f6d910 for
>> database
>> /var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - changelog
>> program - _cl5GetDBFileByReplicaName: found DB object f6d910 for
>> database
>> /var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
>> ruv_update_ruv: successfully committed csn 51966eac000100030000
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389): State: start_backoff
>> -> backoff
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
>> ruv_add_csn_inprogress: successfully inserted csn
>> 51966eac000200030000 into pending list
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - Purged state
>> information from entry
>> uid=sdainard,cn=users,cn=accounts,dc=miovision,dc=linux up to CSN
>> 518d342c000100030000
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - changelog
>> program - _cl5GetDBFileByReplicaName: found DB object f6d910 for
>> database
>> /var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin - changelog
>> program - _cl5GetDBFileByReplicaName: found DB object f6d910 for
>> database
>> /var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_50802036000000030000.db4
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
>> ruv_update_ruv: successfully committed csn 51966eac000200030000
>> [17/May/2013:13:53:48 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTodc1.miovision.corp" (dc1:389): State: backoff -> backoff
>>
>>
>>
>> Perhaps whatever is causing the sync error with user jkeller is
>> holding up the queued transactions?
>
> Yes. It is attempting to replay the password change operation.
> It first tries to find the entry in AD, but that is failing with
> operations error.
>
> Try doing the ldapsearch with the same bind DN and password you
> specified when you set up the winsync agreement. Or did you use
> "ldap-auth at miovision.corp" <mailto:ldap-auth at miovision.corp>?
>
> Another difference is that winsync uses LDAPS - so try this:
>
> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -H
> ldaps://dc1.miovision.corp -D "ldap-auth at miovision.corp"
> <mailto:ldap-auth at miovision.corp> -W -b "dc=miovision,dc=corp"
> '(samAccountName=jkeller)' cn samAccountName
>
>
>>
>>
>>
>>
>> Steve Dainard
>> Infrastructure Manager
>> Miovision Technologies Inc.
>>
>>
>> On Fri, May 17, 2013 at 11:39 AM, Rich Megginson
>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>
>> On 05/17/2013 09:26 AM, Steve Dainard wrote:
>>> Hello,
>>>
>>> We're running a single IPA server (CentOS 6) on our network
>>> as a side project for some testing before we implement.
>>>
>>> It had been a significant period of time since I had last
>>> logged into the web interface, so I had to kinit from a
>>> client machine (of which I had logged into successfully with
>>> my domain password), at which point I was requested to
>>> change my password. After the password change I RDP'd into a
>>> Windows machine on our domain and realized the password had
>>> not been updated on the domain controller.
>>>
>>> Is the password sync feature with an external source such as
>>> Active Directory supposed to be two-way? If so where can I
>>> start troubleshooting this issue?
>>
>> Are you talking about a windows sync agreement you set up
>> with ipa-replica-manage?
>> If so, yes, the password sync is supposed to be two-way.
>> Try this:
>> turn on the replication log level
>> http://port389.org/wiki/FAQ#Troubleshooting
>> change your IPA password
>> turn off the replication log level
>> http://port389.org/wiki/FAQ#Troubleshooting
>> see if you can use your new password in AD
>>
>> The 389 errors log in
>> /var/log/dirsrv/slapd-YOUR-DOMAIN/errors may contain a clue.
>>
>>>
>>> Thanks,
>>>
>>>
>>>
>>> Steve Dainard
>>> Infrastructure Manager
>>> Miovision Technologies Inc.
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130521/17df44bb/attachment.htm>
More information about the Freeipa-users
mailing list