[Freeipa-users] ipa sync agreement to AD DC is taking a very long time

Rich Megginson rmeggins at redhat.com
Tue Oct 15 15:58:22 UTC 2013 

On 10/15/2013 09:51 AM, janice.psyop wrote:
> Thanks for the replies.
>
> I checked this morning and it was still hung up on "Update in progess"
> so I killed it.
>
> @Alexander: Yes, I had already established a trust with our AD DC.  I
> was doing step " 9.4.2. Creating Synchronization Agreements"
> (FreeIPA_Guide/managing-sync-agmt.html)    I've been following the
> guide step-by-step.
>
>
> Here is the slapd-REALM/errors log (I truncated most of the repeating
> missing attribute errors, but the last line is really the last line in
> the log).  I don't see any glaring errors:
>
>
> # cat /var/log/dirsrv/slapd-IPANY/errors
>          389-Directory/1.2.11.15 B2013.240.174
>          nymipa.ipany.domain.com:636 (/etc/dirsrv/slapd-IPANY)
>
>
> [14/Oct/2013:17:32:43 -0400] - 389-Directory/1.2.11.15 B2013.240.174 starting up
> [14/Oct/2013:17:32:43 -0400] schema-compat-plugin - warning: no
> entries set up under cn=computers, cn=compat,dc=ipany
> [14/Oct/2013:17:32:43 -0400] schema-compat-plugin - warning: no
> entries set up under cn=ng, cn=compat,dc=ipany
> [14/Oct/2013:17:32:43 -0400] schema-compat-plugin - warning: no
> entries set up under ou=sudoers,dc=ipany
> [14/Oct/2013:17:32:44 -0400] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=ipany--no CoS Templates found, which should be
> added before the CoS Definition.
> [14/Oct/2013:17:32:44 -0400] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=ipany--no CoS Templates found, which should be
> added before the CoS Definition.
> [14/Oct/2013:17:32:44 -0400] - slapd started.  Listening on All
> Interfaces port 389 for LDAP requests
> [14/Oct/2013:17:32:44 -0400] - Listening on All Interfaces port 636
> for LDAPS requests
> [14/Oct/2013:17:32:44 -0400] - Listening on
> /var/run/slapd-IPANY.socket for LDAPI requests
> [14/Oct/2013:17:32:45 -0400] - Entry
> "cn=meTodc02.domain.com,cn=replica,cn=dc\3Dipany,cn=mapping
> tree,cn=config" -- attribute "nsDS5ReplicatedAttributeListTotal" not
> allowed

This is odd.  Looks like fractional replication is not supported by 
winsync, but ipa-replica-manage is trying to use it.  But this should 
not cause any problems.

> [14/Oct/2013:17:32:45 -0400] NSMMReplicationPlugin -
> agmt="cn=meTodc02.domain.com" (dc02:389): Replica has no update
> vector. It has never been initialized.
> [14/Oct/2013:17:32:45 -0400] NSMMReplicationPlugin -
> agmt="cn=meTodc02.domain.com" (dc02:389): Replica has no update
> vector. It has never been initialized.
> [14/Oct/2013:17:32:45 -0400] NSMMReplicationPlugin -
> agmt="cn=meTodc02.domain.com" (dc02:389): Replica has no update
> vector. It has never been initialized.

This is normal when you first create the winsync agreement but have not 
yet initialized it.

> [14/Oct/2013:17:32:47 -0400] NSMMReplicationPlugin - Beginning total
> update of replica "agmt="cn=meTodc02.domain.com" (dc02:389)".
> [14/Oct/2013:17:32:49 -0400] - Entry
> "uid=nfsuser,cn=users,cn=accounts,dc=ipany" missing attribute "sn"
> required by object class "person"
> [14/Oct/2013:17:32:49 -0400] - Entry
> "uid=tapeop,cn=users,cn=accounts,dc=ipany" missing attribute "sn"
> required by object class "person"
> [14/Oct/2013:17:33:14 -0400] - Entry
> "uid=nfsuserevs,cn=users,cn=accounts,dc=ipany" missing attribute "sn"
> required by object class "person"
> [14/Oct/2013:17:33:14 -0400] - Entry
> "uid=nfsuserbk01,cn=users,cn=accounts,dc=ipany" missing attribute "sn"
> required by object class "person"
>
>
> Should I go ahead and enable a more verbose log level (8192) and
> re-run the ipa-replica-manage connect --winsync ....  again?  I killed
> the process this morning so would I need to do any type of "clean up"
> before re-running?

I'm not sure if this winsync update finished - please turn on the 8192 
log level and see what it is doing.  If that shows nothing, then try 
ipa-replica-manage re-initialize .... It looks like winsync is already 
"connected".

>
>
> thanks,
> -J.
>
> On Tue, Oct 15, 2013 at 9:26 AM, Rich Megginson <rmeggins at redhat.com> wrote:
>> On 10/15/2013 01:22 AM, Alexander Bokovoy wrote:
>>> On Mon, 14 Oct 2013, janice.psyop wrote:
>>>
>>>> Hi,
>>>>
>>>> I've been setting up an IPA server (centos 6.4) with AD trust (2008R2
>>>> domain) following the FC18 freeipa guide.
>>> AD trusts is different from AD sync agreement.
>>>
>>> What you describe below is use of passsync/winsync (AD sync), not AD
>>> trusts. Just to make sure we are on the same level here.
>>>>
>>>> Everything has gone smoothly until I ran the ipa-replica-manage connect
>>>> command to the AD DC and it seems to be running (no errors on std out and
>>>> ps says it is still running), but it has been running for six hours!  We
>>>> do
>>>> have ~2000 user entries,  but I didn't think it would take this long to
>>>> sync up.
>>>>
>>>> The command I ran was this (see below) and the screen now just displays
>>>> repeating "Update in progress".  I'm very tempted to kill it in case
>>>> something is going horribly wrong (with the AD user accounts...)
>>>>
>>>> /usr/sbin/ipa-replica-manage connect --winsync
>>>> --passsync=MySecretPass
>>>> --binddn=CN=myipasyncuser,CN=Users,DC=domain,DC=com
>>>> --bindpw=MySecretPass
>>>> --cacert=/etc/openldap/cacerts/DC-CA.cer
>>>> -v dc.domain.com
>>>>
>>>>
>>>> Update in progress
>>>> Update in progress
>>>> Update in progress
>>>> Update in progress
>>>> Update in progress
>>>> Update in progress
>>>> Update in progress
>>>>
>>>>
>>>> Is there any way to check the progress of this in case it is in fact hung
>>>> up?  The last few entries in the ipa/default.log is from six hours ago:
>>>>
>>>>
>>>> 2013-10-14T21:32:45Z    2706    MainThread      ipa     INFO Added new
>>>> sync agreement, waiting for it to become ready . . .
>>>> 2013-10-14T21:32:46Z    2706    MainThread      ipa     INFO Replication
>>>> Update in progress: FALSE: status: 0 Replica acquired successfully:
>>>> Incremental update started: start: 0: end: 0
>>>> 2013-10-14T21:32:46Z    2706    MainThread      ipa     INFO Agreement
>>>> is ready, starting replication . . .
>>> Try to change some user data on AD side, it would trigger update of the
>>> IPA side.
>>>
>> Take a look at the 389 errors log - /var/log/dirsrv/slapd-YOUR-DOMAIN/errors
>> - anything in there?
>> If not, then you can turn on replication/sync error logging
>> http://port389.org/wiki/FAQ#Troubleshooting
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list