[Freeipa-users] AD Sync issue

malo malo at avast.com
Thu Jul 21 14:27:19 UTC 2016 

Hello everyone,

I have one issue with replication from AD to IPA.
Right now on my IPA master I have the current packages :
ipa-admintools.x86_64 4.2.0-15.0.1.el7.centos.17      @updates
ipa-client.x86_64 4.2.0-15.0.1.el7.centos.17      @updates
ipa-python.x86_64 4.2.0-15.0.1.el7.centos.17      @updates
ipa-server.x86_64 4.2.0-15.0.1.el7.centos.17      @updates
ipa-server-dns.x86_64 4.2.0-15.0.1.el7.centos.17      @updates


My IPA realm is ipa.XX.XXX.example.com and my AD realm is XXX.example.com.

My IPA setup is without CA and it uses the same one as the AD for the 
certificates.


I've setup the replication like this :

ipa-replica-manage connect -v --winsync -p PASS --binddn DN_TO_USE 
--bindpw VERY_STRONG_PASS --passsync PASSSYNPWD --cacert 
/root/certs/CA.pem --win-subtree OU=SOMETHING,DC=xxx,DC=example,DC=com 
ad.XXX.example.com
Added CA certificate /root/certs/CA.pem to certificate database for 
master.ipa.XX.XXX.example.com
ipa: INFO: AD Suffix is: DC=xxx,DC=example,DC=com
The user for the Windows PassSync service is 
uid=passsync,cn=sysaccounts,cn=etc,dc=ipa,dc=xx,dc=xxx,dc=example,dc=com
Windows PassSync system account exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica 
acquired successfully: Incremental update started: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.

Update succeeded

Connected 'master.ipa.XX.XXX.example.com' to 'ad.XXX.example.com'


When I list the replicas I got :

ipa-replica-manage list
master.ipa.XX.XXX.example.com: master
ad.XXX.example.com: winsync

Then I modified the agreement to be one way :

dn: 
cn=meToad.XXX.example.com,cn=replica,cn=dc\3Dipa\2Cdc\3DXX\2Cdc\3Dxxx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping 
tree,cn=config
changetype: modify
add: oneWaySync
oneWaySync: fromWindows


But the issue is that I receive no user from the AD. The directory 
server remains empty.

The log of the agreement setup is attached to the mail.

Here is my current configuration :

ldapsearch -LLLx -b 
"cn=replica,cn=dc\3Dipa\2Cdc\3Dxx\2Cdc\3Dxxx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping 
tree,cn=config" -D  "cn=directory manager" -W 'objectclass=*'
dn: 
cn=replica,cn=dc\3Dipa\2Cdc\3Dxx\2Cdc\3Dxx\2Cdc\3Dexample\2Cdc\3Dcom,cn=map
  ping tree,cn=config
cn: replica
nsDS5Flags: 1
objectClass: nsds5replica
objectClass: top
objectClass: extensibleobject
nsDS5ReplicaType: 3
nsDS5ReplicaRoot: dc=ipa,dc=xx,dc=xxx,dc=example,dc=com
nsds5ReplicaLegacyConsumer: off
nsDS5ReplicaId: 3
nsds5replicabinddngroupcheckinterval: 60
nsds5replicabinddngroup: cn=replication 
managers,cn=sysaccounts,cn=etc,dc=ipa,
  dc=xx,dc=xxx,dc=example,dc=com
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsState:: AwAAAAAAAAByxZBXAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAA==
nsDS5ReplicaName: dd9e8a43-483511e6-9d1e93d7-d4af26e1
nsds5ReplicaChangeCount: 2247
nsds5replicareapactive: 0

dn: cn=meToad.XXX.example.com,cn=replica,cn=dc\3Dipa\2Cdc\3Dxx\2Cdc\3Dxxx
  \2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
nsds7WindowsReplicaSubtree: OU=SOMETHING,DC=xxx,DC=example,DC=com
nsds7DirectoryReplicaSubtree: 
cn=users,cn=accounts,dc=ipa,dc=xx,dc=xxx,dc=example,dc=com
cn: meToad.XXX.example.com
nsds7NewWinGroupSyncEnabled: false
objectClass: nsDSWindowsReplicationAgreement
objectClass: top
nsDS5ReplicaTransportInfo: TLS
nsDS5ReplicaRoot: dc=ipa,dc=xx,dc=xxx,dc=example,dc=com
nsDS5ReplicaHost: ad.XXX.example.com
nsds5replicaTimeout: 120
nsDS5ReplicaBindDN: CN=USER_LDAP,OU=users,OU=srv,DC=xxx,DC=example,D
  C=com
nsds7NewWinUserSyncEnabled: true
nsDS5ReplicaPort: 389
nsds7WindowsDomain: ipa.XX.XXX.example.com
nsDS5ReplicaBindMethod: simple
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof 
idnssoaserial
   entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
description: me to ad.xxx.example.com
nsDS5ReplicaCredentials: {AFSSDFASD==}
oneWaySync: fromWindows
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20160721125815Z
nsds5replicaLastUpdateEnd: 20160721125815Z
nsds5replicaChangesSentSinceStartup:: Mzo5LzAg
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: 
Incremental upd
  ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20160721125315Z
nsds5replicaLastInitEnd: 20160721125315Z
nsds5replicaLastInitStatus: 0 Total update succeeded

I tried to re-initialize, force-sync but nothing helps.
I'm really stuck because there is nothing visible for me in the logs.

Thank you for reading me,


Nathan Malo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: agmt_create.log
Type: text/x-log
Size: 31959 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160721/cafb3e22/attachment.bin>

More information about the Freeipa-users mailing list