[Freeipa-users] [SOLVED] Re: IPA winsync replication

Dmitri Pal dpal at redhat.com
Tue Nov 26 18:52:42 UTC 2013 

On 11/26/2013 04:16 AM, Emil Petersson wrote:
>
> On 26/11/13 01:05, Rich Megginson wrote:
>> On 11/25/2013 04:57 PM, Rich Megginson wrote:
>>> On 11/25/2013 11:51 AM, Emil Petersson wrote:
>>>> On 25 Nov 2013, at 17:21, Rich Megginson <rmeggins at redhat.com
>>>> <mailto:rmeggins at redhat.com>> wrote:
>>>>
>>>>> On 11/25/2013 08:14 AM, Emil Petersson wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I'm running FreeIPA 3.0 under RHEL6.4. I'm seeing some unexpected
>>>>>> behaviour with winsync replication.
>>>>>>
>>>>>> 1. I have a working winsync agreement, and users are synced
>>>>>> correctly.
>>>>>>
>>>>>> 2. If a user already exists in in IPA when I sync it from AD, I'm
>>>>>> seeing the following in the dirsrv error logs:
>>>>>>
>>>>>>     [25/Nov/2013:14:29:03 +0000] NSMMReplicationPlugin -
>>>>>> windows_update_local_entry: failed to modify entry
>>>>>> uid=username,cn=users,cn=accounts,dc=domain,dc=net - error
>>>>>> 21:Invalid syntax
>>>>>>
>>>>>>     I assume this is because the user already exists in dirsrv? Fine.
>>>>>
>>>>> No.  Error 21 is Invalid Syntax.  This means the format of the
>>>>> data in the attribute in AD is not correct for the given syntax. 
>>>>> For example, if the syntax is Integer, this means the data should
>>>>> be a valid integer.  However, AD allows data that violates LDAP
>>>>> syntax.
>>>>>
>>>>> Can you post the data from the AD entry that corresponds to
>>>>> uid=username,cn=users,cn=accounts,dc=domain,dc=net?  Please be
>>>>> sure to obscure any sensitive data.  I'd like to identify the data
>>>>> that is causing this problem.
>>>>
>>>> Certainly, here goes:
>>>>
>>>> dn: CN=Firstname
>>>> Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=
>>>>  domain,DC=com
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> cn: Firstname Lastname
>>>> sn: Lastname
>>>> title: Sysadmin
>>>> description: Employee
>>>> physicalDeliveryOfficeName: XX-XX-XX
>>>> telephoneNumber: +00 00 000 0
>>>> facsimileTelephoneNumber: +00 00 000 0
>>>> givenName: Firstname
>>>> distinguishedName: CN=Firstname
>>>> Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=O
>>>>  rganization,DC=domain,DC=com
>>>> instanceType: 4
>>>> whenCreated: 20110321122858.0Z
>>>> whenChanged: 20131120104224.0Z
>>>> displayName: Firstname Lastname
>>>> uSNCreated: 76590
>>>>  ngame,DC=com
>>>> memberOf: CN=All,OU=OrgGroups,OU=Organization,DC=domain,DC=com
>>>> memberOf: CN=sysadmins,OU=OrgGroups,OU=Organization,DC=domain,DC=com
>>>> uSNChanged: 66378160
>>>> department: Infrastructure
>>>> company: Company name
>>>> homeMTA: CN=Microsoft MTA,CN=MBX,CN=Servers,CN=Exchange
>>>> Administrative Group (
>>>>  FYDIBOHF23SPDLT),CN=Administrative
>>>> Groups,CN=globalmail,CN=Microsoft Exchange
>>>>  ,CN=Services,CN=Configuration,DC=domain,DC=com
>>>> proxyAddresses: SMTP:first.last at domain.com <http://domain.com>
>>>> proxyAddresses: smtp:first.last at domain2.com <http://domain2.com>
>>>> proxyAddresses: smtp:first.last at domain3.com <http://domain3.com>
>>>> proxyAddresses: sip:first.last at domain.com
>>>> proxyAddresses: X400:C=SE;A=
>>>> ;P=globalmail;O=Exchange;S=Lastname;G=Firstname;
>>>> homeMDB: CN=DB3,CN=SG03 -
>>>> 2GB,CN=InformationStore,CN=MBX,CN=Servers,CN=Exchang
>>>>  e Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
>>>> Groups,CN=globalma
>>>>  il,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
>>>> garbageCollPeriod: 1209600
>>>> mDBUseDefaults: TRUE
>>>> extensionAttribute8: Companyname
>>>> mailNickname: username
>>>> protocolSettings:: SFRUUMKnMcKnMcKnwqfCp8KnwqfCpw==
>>>> protocolSettings:: T1dBwqcx
>>>> internetEncoding: 0
>>>> name: Firstnam Lastname
>>>> objectGUID:: pDdL7yY7gEuqRdQLTjLo0w==
>>>> userAccountControl: 512
>>>> badPwdCount: 0
>>>> codePage: 0
>>>> countryCode: 0
>>>> homeDirectory: \\path\to\home <smb://path/to/home>
>>>> homeDrive: H:
>>>> badPasswordTime: 130295283826410995
>>>> lastLogoff: 0
>>>> lastLogon: 130297464093469882
>>>> pwdLastSet: 130294130189116476
>>>> primaryGroupID: 513
>>>> objectSid:: AQUAAAoiadjfojdfojsodijfQkAH5TsrAA==
>>>> accountExpires: 0
>>>> logonCount: 6909
>>>> sAMAccountName: username
>>>> sAMAccountType: 805306368
>>>> showInAddressBook: CN=Default Global Address List,CN=All Global
>>>> Address Lists,
>>>>  CN=Address Lists Container,CN=globalmail,CN=Microsoft
>>>> Exchange,CN=Services,CN
>>>>  =Configuration,DC=domain,DC=com
>>>> showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address
>>>> Lists Containe
>>>>  r,CN=globalmail,CN=Microsoft
>>>> Exchange,CN=Services,CN=Configuration,DC=domain,
>>>>  DC=com
>>>> legacyExchangeDN: /o=globalmail/ou=Exchange Administrative Group
>>>> (FYDIBOHF23SP
>>>>  DLT)/cn=Recipients/cn=username
>>>> userPrincipalName: first at domain.com <mailto:first at domain.com>
>>>> lockoutTime: 0
>>>> ipPhone: +00 00 00 00
>>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com
>>>> dSCorePropagationData: 20131118102944.0Z
>>>> dSCorePropagationData: 20131118102934.0Z
>>>> dSCorePropagationData: 20130313150036.0Z
>>>> dSCorePropagationData: 20120821144903.0Z
>>>> dSCorePropagationData: 16010101181216.0Z
>>>> lastLogonTimestamp: 130294177442871790
>>>> textEncodedORAddress: c=XX;a=
>>>> ;p=globalmail;o=Exchange;s=Lastname;g=Firstname;
>>>> mail: first.last at domain.com <mailto:first.last at domain.com>
>>>> manager: CN=Manager
>>>> Name,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=o
>>>>  ngame,DC=com
>>>> mobile:: KzQ2NzI3mjMEMTEwwqAJ
>>
>> I think this may be the problem.  mobile contains non printable
>> characters:
>> $ python
>> >>> import base64
>> >>> base64.b64decode('KzQ2NzI3mjMEMTEwwqAJ')
>> '+46727\x9a3\x04110\xc2\xa0\t'
>>
>> Looks like the mobile phone number contains utf8 characters.  It must
>> not:
>>     /* Per RFC4517:
>>      *
>>      * TelephoneNumber = PrintableString
>>      * PrintableString = 1*PrintableCharacter
>>      */
>>
>> Unfortunately, AD syntax checking leaves a lot to be desired, so it
>> allows this and other bogus data.  IPA/389 is much stricter.
> Hey Rich,
>
> You are correct!
>
> All "mobile" entries in our AD is base64 encoded and ends with
> "\xc2\xa0\t". Removing the junk characters from the mobile entry makes
> the user sync correctly, regardless of if the user pre exists or not.
> Issue solved, thanks alot for pointing this out!
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Added a solved tag to subj.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131126/0b52985c/attachment.htm>

More information about the Freeipa-users mailing list