[Freeipa-users] ipa sync agreement to AD DC is taking a very long time
Rich Megginson
rmeggins at redhat.com
Tue Oct 15 13:26:49 UTC 2013
On 10/15/2013 01:22 AM, Alexander Bokovoy wrote:
> On Mon, 14 Oct 2013, janice.psyop wrote:
>
>> Hi,
>>
>> I've been setting up an IPA server (centos 6.4) with AD trust (2008R2
>> domain) following the FC18 freeipa guide.
> AD trusts is different from AD sync agreement.
>
> What you describe below is use of passsync/winsync (AD sync), not AD
> trusts. Just to make sure we are on the same level here.
>>
>> Everything has gone smoothly until I ran the ipa-replica-manage connect
>> command to the AD DC and it seems to be running (no errors on std out
>> and
>> ps says it is still running), but it has been running for six hours!
>> We do
>> have ~2000 user entries, but I didn't think it would take this long to
>> sync up.
>>
>> The command I ran was this (see below) and the screen now just displays
>> repeating "Update in progress". I'm very tempted to kill it in case
>> something is going horribly wrong (with the AD user accounts...)
>>
>> /usr/sbin/ipa-replica-manage connect --winsync
>> --passsync=MySecretPass
>> --binddn=CN=myipasyncuser,CN=Users,DC=domain,DC=com
>> --bindpw=MySecretPass
>> --cacert=/etc/openldap/cacerts/DC-CA.cer
>> -v dc.domain.com
>>
>>
>> Update in progress
>> Update in progress
>> Update in progress
>> Update in progress
>> Update in progress
>> Update in progress
>> Update in progress
>>
>>
>> Is there any way to check the progress of this in case it is in fact
>> hung
>> up? The last few entries in the ipa/default.log is from six hours ago:
>>
>>
>> 2013-10-14T21:32:45Z 2706 MainThread ipa INFO Added new
>> sync agreement, waiting for it to become ready . . .
>> 2013-10-14T21:32:46Z 2706 MainThread ipa INFO Replication
>> Update in progress: FALSE: status: 0 Replica acquired successfully:
>> Incremental update started: start: 0: end: 0
>> 2013-10-14T21:32:46Z 2706 MainThread ipa INFO Agreement
>> is ready, starting replication . . .
> Try to change some user data on AD side, it would trigger update of the
> IPA side.
>
Take a look at the 389 errors log -
/var/log/dirsrv/slapd-YOUR-DOMAIN/errors - anything in there?
If not, then you can turn on replication/sync error logging
http://port389.org/wiki/FAQ#Troubleshooting
More information about the Freeipa-users
mailing list