[Freeipa-users] Synchronization Agreements between FreeIPA and AD

Сапегин Валерий unitaip at gmail.com
Thu Nov 13 12:14:51 UTC 2014 

Hi Rich!

I turned on the log and see the following records

[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=
meTocsbi-it-dc01.csbigroup.ru" (csbi-it-dc01:389): State: start_backoff ->
backoff
[13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier RUV:
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - supplier:
{replicageneration} 5440f039000000030000
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - supplier: {replica 3
ldap://ipa.test-csbi-its.ru:389} 5440f039000100030000 5464956e000000030000
5464956e
[13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer RUV:
[13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer RUV = null
[13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier RUV is newer
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=
meTocsbi-it-dc01.csbigroup.ru" (csbi-it-dc01:389): Cancelling linger on the
connection
[13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time: gen state before
546495820001:1415878018:0:0
[13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time: gen state after
546495860000:1415878022:0:0
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=
meTocsbi-it-dc01.csbigroup.ru" (csbi-it-dc01:389): State: backoff ->
sending_updates
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=
meTocsbi-it-dc01.csbigroup.ru" (csbi-it-dc01:389): Replica has no update
vector. It has never been initialized.
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=
meTocsbi-it-dc01.csbigroup.ru" (csbi-it-dc01:389): Beginning linger on the
connection
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=
meTocsbi-it-dc01.csbigroup.ru" (csbi-it-dc01:389): State: sending_updates
-> start_backoff



   Best regards, Valeriy



On 10/29/2014 03:19 AM, Сапегин Валерий wrote:

Yes Dmitri, ldapsearch works good:

[root ipa ~]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/
ldapsearch -xLLL -ZZ -h csbi-it-dc01.csbigroup.ru -D
"cn=ipa-test,cn=users,dc=csbigroup,dc=ru" -w "ttttttttt" -s base -b
"cn=users,dc=csbigroup,dc=ru"
dn: cn=users,dc=csbigroup,dc=ru
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=csbigroup,DC=ru
instanceType: 4
...
...


Ok.  Now try to do a windows sync with the dirsrv replication error log
level - http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting

Then we can take a look at the detailed errors.


 С уважением, Сапегин Валерий

2014-10-23 16:19 GMT+04:00 Сапегин Валерий <unitaip gmail com>:

>    Hello!
>
>  I tryed to configure synchronization between FreeIPA and  Windows AD
> 2012. In the thirst time accounts from AD synchronization properly but next
> schedule after 5 min is not work and in error log I see the following
> errors:
>
> # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors
> [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin - agmt="cn=
> meTocsbi-it-dc01.csbigroup.ru" (csbi-it-dc01:389): Replica has no update
> vector. It has never been initialized.
> [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin - agmt="cn=
> meTocsbi-it-dc01.csbigroup.ru" (csbi-it-dc01:389): Replica has no update
> vector. It has never been initialized.
> [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin - agmt="cn=
> meTocsbi-it-dc01.csbigroup.ru" (csbi-it-dc01:389): Replica has no update
> vector. It has never been initialized.
>
>  Thirst synchronization out
>
> Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to certificate
> database for ipa.test-csbi-its.ru
> ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru
> The user for the Windows PassSync service is
> uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru
> Windows PassSync entry exists, not resetting password
> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
> ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica
> acquired successfully: Incremental update started: start: 0: end: 0
> ipa: INFO: Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
> Update in progress, 13 seconds elapsed
> [ipa.test-csbi-its.ru] reports: Update failed! Status: [-1 Total update
> abortedLDAP error: Can't contact LDAP server]
>
> Failed to start replication
>
>
>
>  FreeIPA server version 3.3.3
>  OS version Centos 7
>  AD Domain 2012
>
>  Can you help me to resolve this problem?
>
>     Best regards, Valeriy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141113/6ba42314/attachment.htm>

More information about the Freeipa-users mailing list