[Freeipa-users] IPA winsync replication

Rich Megginson rmeggins at redhat.com
Mon Nov 25 16:21:03 UTC 2013 

On 11/25/2013 08:14 AM, Emil Petersson wrote:
> Hi,
>
> I'm running FreeIPA 3.0 under RHEL6.4. I'm seeing some unexpected 
> behaviour with winsync replication.
>
> 1. I have a working winsync agreement, and users are synced correctly.
>
> 2. If a user already exists in in IPA when I sync it from AD, I'm 
> seeing the following in the dirsrv error logs:
>
>     [25/Nov/2013:14:29:03 +0000] NSMMReplicationPlugin - 
> windows_update_local_entry: failed to modify entry 
> uid=username,cn=users,cn=accounts,dc=domain,dc=net - error 21:Invalid 
> syntax
>
>     I assume this is because the user already exists in dirsrv? Fine.

No.  Error 21 is Invalid Syntax.  This means the format of the data in 
the attribute in AD is not correct for the given syntax.  For example, 
if the syntax is Integer, this means the data should be a valid 
integer.  However, AD allows data that violates LDAP syntax.

Can you post the data from the AD entry that corresponds to 
uid=username,cn=users,cn=accounts,dc=domain,dc=net?  Please be sure to 
obscure any sensitive data.  I'd like to identify the data that is 
causing this problem.

>
> 3. Then I remove the corresponding user from IPA and force another 
> sync from AD, hoping that the user will sync properly this time, and 
> thus have its ntUser* attributes created:
>
>     [25/Nov/2013:14:29:09 +0000] NSMMReplicationPlugin - 
> agmt="cn=meToAD.domain.com" (dc03:389): map_entry_dn_inbound: looking 
> for local entry by uid [username]
>     [25/Nov/2013:14:29:09 +0000] - Windows sync entry: Adding new 
> local entry dn: uid=username,cn=users,cn=accounts,dc=domain,dc=net
>     [25/Nov/2013:14:29:09 +0000] NSMMReplicationPlugin - add operation 
> of entry uid=username,cn=users,cn=accounts,dc=domain,dc=net returned: 21
>
> It's like something (either AD or IPA) remembers that a user have 
> failed once, and then refuse to sync it any more. Removing the winsync 
> agreement and recreating it completely doesn't help. The user is still 
> not synced, and leaves error code 21.
>
> Anyone have any idea on why this is, and how I can sync the user even 
> though it has failed once?
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131125/7bc63f37/attachment.htm>

More information about the Freeipa-users mailing list