[Freeipa-users] Synchronization Agreements between FreeIPA and AD
Rich Megginson
rmeggins at redhat.com
Thu Nov 13 14:21:19 UTC 2014
On 11/13/2014 05:14 AM, Сапегин Валерий wrote:
> Hi Rich!
>
> I turned on the log and see the following records
>
> [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
> agmt="cn=meTocsbi-it-dc01.csbigroup.ru
> <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389): State:
> start_backoff -> backoff
> [13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier RUV:
> [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - supplier:
> {replicageneration} 5440f039000000030000
> [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - supplier:
> {replica 3 ldap://ipa.test-csbi-its.ru:389
> <http://ipa.test-csbi-its.ru:389>} 5440f039000100030000
> 5464956e000000030000 5464956e
> [13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer RUV:
> [13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer RUV = null
> [13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier RUV is newer
> [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
> agmt="cn=meTocsbi-it-dc01.csbigroup.ru
> <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389): Cancelling
> linger on the connection
> [13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time: gen state
> before 546495820001:1415878018:0:0
> [13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time: gen state
> after 546495860000:1415878022:0:0
> [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
> agmt="cn=meTocsbi-it-dc01.csbigroup.ru
> <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389): State:
> backoff -> sending_updates
> [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
> agmt="cn=meTocsbi-it-dc01.csbigroup.ru
> <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389): Replica
> has no update vector. It has never been initialized.
> [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
> agmt="cn=meTocsbi-it-dc01.csbigroup.ru
> <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389): Beginning
> linger on the connection
> [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
> agmt="cn=meTocsbi-it-dc01.csbigroup.ru
> <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389): State:
> sending_updates -> start_backoff
>
There is no windows sync trace activity here. You have to first enable
the replication log level, then do something that will trigger windows
sync activity.
> Best regards, Valeriy
>
>
>
> On 10/29/2014 03:19 AM, Сапегин Валерий wrote:
>> Yes Dmitri, ldapsearch works good:
>>
>> [root ipa ~]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/
>> ldapsearch -xLLL -ZZ -h csbi-it-dc01.csbigroup.ru
>> <http://csbi-it-dc01.csbigroup.ru> -D
>> "cn=ipa-test,cn=users,dc=csbigroup,dc=ru" -w "ttttttttt" -s base -b
>> "cn=users,dc=csbigroup,dc=ru"
>> dn: cn=users,dc=csbigroup,dc=ru
>> objectClass: top
>> objectClass: container
>> cn: Users
>> description: Default container for upgraded user accounts
>> distinguishedName: CN=Users,DC=csbigroup,DC=ru
>> instanceType: 4
>> ...
>> ...
>>
>
> Ok. Now try to do a windows sync with the dirsrv replication error
> log level - http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting
>
> Then we can take a look at the detailed errors.
>
>>
>> С уважением, Сапегин Валерий
>>
>> 2014-10-23 16:19 GMT+04:00 Сапегин Валерий <unitaip gmail com
>> <mailto:unitaip%20gmail%20com>>:
>>
>> Hello!
>>
>> I tryed to configure synchronization between FreeIPA and Windows
>> AD 2012. In the thirst time accounts from AD synchronization
>> properly but next schedule after 5 min is not work and in error
>> log I see the following errors:
>>
>> # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors
>> [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin -
>> agmt="cn=meTocsbi-it-dc01.csbigroup.ru
>> <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389):
>> Replica has no update vector. It has never been initialized.
>> [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin -
>> agmt="cn=meTocsbi-it-dc01.csbigroup.ru
>> <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389):
>> Replica has no update vector. It has never been initialized.
>> [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin -
>> agmt="cn=meTocsbi-it-dc01.csbigroup.ru
>> <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389):
>> Replica has no update vector. It has never been initialized.
>>
>> Thirst synchronization out
>>
>> Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to
>> certificate database for ipa.test-csbi-its.ru
>> <http://ipa.test-csbi-its.ru>
>> ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru
>> The user for the Windows PassSync service is
>> uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru
>> Windows PassSync entry exists, not resetting password
>> ipa: INFO: Added new sync agreement, waiting for it to become
>> ready . . .
>> ipa: INFO: Replication Update in progress: FALSE: status: 0
>> Replica acquired successfully: Incremental update started: start:
>> 0: end: 0
>> ipa: INFO: Agreement is ready, starting replication . . .
>> Starting replication, please wait until this has completed.
>> Update in progress, 13 seconds elapsed
>> [ipa.test-csbi-its.ru <http://ipa.test-csbi-its.ru>] reports:
>> Update failed! Status: [-1 Total update abortedLDAP error: Can't
>> contact LDAP server]
>>
>> Failed to start replication
>>
>>
>>
>> FreeIPA server version 3.3.3
>> OS version Centos 7
>> AD Domain 2012
>>
>> Can you help me to resolve this problem?
>>
>> Best regards, Valeriy
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141113/936893ee/attachment.htm>
More information about the Freeipa-users
mailing list