[Freeipa-users] IPA winsync replication

Emil Petersson emil at melt.se
Tue Nov 26 09:16:01 UTC 2013 

On 26/11/13 01:05, Rich Megginson wrote:
> On 11/25/2013 04:57 PM, Rich Megginson wrote:
>> On 11/25/2013 11:51 AM, Emil Petersson wrote:
>>> On 25 Nov 2013, at 17:21, Rich Megginson <rmeggins at redhat.com 
>>> <mailto:rmeggins at redhat.com>> wrote:
>>>
>>>> On 11/25/2013 08:14 AM, Emil Petersson wrote:
>>>>> Hi,
>>>>>
>>>>> I'm running FreeIPA 3.0 under RHEL6.4. I'm seeing some unexpected 
>>>>> behaviour with winsync replication.
>>>>>
>>>>> 1. I have a working winsync agreement, and users are synced correctly.
>>>>>
>>>>> 2. If a user already exists in in IPA when I sync it from AD, I'm 
>>>>> seeing the following in the dirsrv error logs:
>>>>>
>>>>>     [25/Nov/2013:14:29:03 +0000] NSMMReplicationPlugin - 
>>>>> windows_update_local_entry: failed to modify entry 
>>>>> uid=username,cn=users,cn=accounts,dc=domain,dc=net - error 
>>>>> 21:Invalid syntax
>>>>>
>>>>>     I assume this is because the user already exists in dirsrv? Fine.
>>>>
>>>> No.  Error 21 is Invalid Syntax.  This means the format of the data 
>>>> in the attribute in AD is not correct for the given syntax.  For 
>>>> example, if the syntax is Integer, this means the data should be a 
>>>> valid integer. However, AD allows data that violates LDAP syntax.
>>>>
>>>> Can you post the data from the AD entry that corresponds to 
>>>> uid=username,cn=users,cn=accounts,dc=domain,dc=net? Please be sure 
>>>> to obscure any sensitive data.  I'd like to identify the data that 
>>>> is causing this problem.
>>>
>>> Certainly, here goes:
>>>
>>> dn: CN=Firstname 
>>> Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=
>>>  domain,DC=com
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> cn: Firstname Lastname
>>> sn: Lastname
>>> title: Sysadmin
>>> description: Employee
>>> physicalDeliveryOfficeName: XX-XX-XX
>>> telephoneNumber: +00 00 000 0
>>> facsimileTelephoneNumber: +00 00 000 0
>>> givenName: Firstname
>>> distinguishedName: CN=Firstname 
>>> Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=O
>>>  rganization,DC=domain,DC=com
>>> instanceType: 4
>>> whenCreated: 20110321122858.0Z
>>> whenChanged: 20131120104224.0Z
>>> displayName: Firstname Lastname
>>> uSNCreated: 76590
>>>  ngame,DC=com
>>> memberOf: CN=All,OU=OrgGroups,OU=Organization,DC=domain,DC=com
>>> memberOf: CN=sysadmins,OU=OrgGroups,OU=Organization,DC=domain,DC=com
>>> uSNChanged: 66378160
>>> department: Infrastructure
>>> company: Company name
>>> homeMTA: CN=Microsoft MTA,CN=MBX,CN=Servers,CN=Exchange 
>>> Administrative Group (
>>>  FYDIBOHF23SPDLT),CN=Administrative 
>>> Groups,CN=globalmail,CN=Microsoft Exchange
>>>  ,CN=Services,CN=Configuration,DC=domain,DC=com
>>> proxyAddresses: SMTP:first.last at domain.com <http://domain.com>
>>> proxyAddresses: smtp:first.last at domain2.com <http://domain2.com>
>>> proxyAddresses: smtp:first.last at domain3.com <http://domain3.com>
>>> proxyAddresses: sip:first.last at domain.com
>>> proxyAddresses: X400:C=SE;A= 
>>> ;P=globalmail;O=Exchange;S=Lastname;G=Firstname;
>>> homeMDB: CN=DB3,CN=SG03 - 
>>> 2GB,CN=InformationStore,CN=MBX,CN=Servers,CN=Exchang
>>>  e Administrative Group (FYDIBOHF23SPDLT),CN=Administrative 
>>> Groups,CN=globalma
>>>  il,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
>>> garbageCollPeriod: 1209600
>>> mDBUseDefaults: TRUE
>>> extensionAttribute8: Companyname
>>> mailNickname: username
>>> protocolSettings:: SFRUUMKnMcKnMcKnwqfCp8KnwqfCpw==
>>> protocolSettings:: T1dBwqcx
>>> internetEncoding: 0
>>> name: Firstnam Lastname
>>> objectGUID:: pDdL7yY7gEuqRdQLTjLo0w==
>>> userAccountControl: 512
>>> badPwdCount: 0
>>> codePage: 0
>>> countryCode: 0
>>> homeDirectory: \\path\to\home <smb://path/to/home>
>>> homeDrive: H:
>>> badPasswordTime: 130295283826410995
>>> lastLogoff: 0
>>> lastLogon: 130297464093469882
>>> pwdLastSet: 130294130189116476
>>> primaryGroupID: 513
>>> objectSid:: AQUAAAoiadjfojdfojsodijfQkAH5TsrAA==
>>> accountExpires: 0
>>> logonCount: 6909
>>> sAMAccountName: username
>>> sAMAccountType: 805306368
>>> showInAddressBook: CN=Default Global Address List,CN=All Global 
>>> Address Lists,
>>>  CN=Address Lists Container,CN=globalmail,CN=Microsoft 
>>> Exchange,CN=Services,CN
>>>  =Configuration,DC=domain,DC=com
>>> showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address 
>>> Lists Containe
>>>  r,CN=globalmail,CN=Microsoft 
>>> Exchange,CN=Services,CN=Configuration,DC=domain,
>>>  DC=com
>>> legacyExchangeDN: /o=globalmail/ou=Exchange Administrative Group 
>>> (FYDIBOHF23SP
>>>  DLT)/cn=Recipients/cn=username
>>> userPrincipalName: first at domain.com <mailto:first at domain.com>
>>> lockoutTime: 0
>>> ipPhone: +00 00 00 00
>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com
>>> dSCorePropagationData: 20131118102944.0Z
>>> dSCorePropagationData: 20131118102934.0Z
>>> dSCorePropagationData: 20130313150036.0Z
>>> dSCorePropagationData: 20120821144903.0Z
>>> dSCorePropagationData: 16010101181216.0Z
>>> lastLogonTimestamp: 130294177442871790
>>> textEncodedORAddress: c=XX;a= 
>>> ;p=globalmail;o=Exchange;s=Lastname;g=Firstname;
>>> mail: first.last at domain.com <mailto:first.last at domain.com>
>>> manager: CN=Manager 
>>> Name,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=o
>>>  ngame,DC=com
>>> mobile:: KzQ2NzI3mjMEMTEwwqAJ
>
> I think this may be the problem.  mobile contains non printable 
> characters:
> $ python
> >>> import base64
> >>> base64.b64decode('KzQ2NzI3mjMEMTEwwqAJ')
> '+46727\x9a3\x04110\xc2\xa0\t'
>
> Looks like the mobile phone number contains utf8 characters.  It must not:
>     /* Per RFC4517:
>      *
>      * TelephoneNumber = PrintableString
>      * PrintableString = 1*PrintableCharacter
>      */
>
> Unfortunately, AD syntax checking leaves a lot to be desired, so it 
> allows this and other bogus data.  IPA/389 is much stricter.
Hey Rich,

You are correct!

All "mobile" entries in our AD is base64 encoded and ends with 
"\xc2\xa0\t". Removing the junk characters from the mobile entry makes 
the user sync correctly, regardless of if the user pre exists or not. 
Issue solved, thanks alot for pointing this out!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131126/a7f6a053/attachment.htm>

More information about the Freeipa-users mailing list