[Freeipa-users] FreeIPA 4.4 / Winsync issues.

Devin Acosta linuxguru.co at gmail.com
Thu Feb 23 15:38:40 UTC 2017 

I have installed a new replica in our IPA domain and configured it to do a
winsync with Windows 2012R2. It creates the agreement but then after a
while it dies. It appears something isn't configured just right. The
Windows client is using the passync user on my side, and i'm creating the
sync using a windows account that has the appopriate permissions.


This is what I see after about 10 minutes of the sync running from the
server side.

[22/Feb/2017:23:43:33.103632587 +0000] agmt="cn=
meTolas01-050-005.axi.mtech.int" (las01-050-005:389) - Can't locate CSN
58ae2255000000180000 in the changelog (DB rc=-30988). If replication stops,
the consumer may need to be reinitialized.
[22/Feb/2017:23:43:33.105866800 +0000] NSMMReplicationPlugin - changelog
program - agmt="cn=meTolas01-050-005.axi.mtech.int" (las01-050-005:389):
CSN 58ae2255000000180000 not found, we aren't as up to date, or we purged
[22/Feb/2017:23:43:33.107971862 +0000] NSMMReplicationPlugin - windows sync
- agmt="cn=meTolas01-050-005.axi.mtech.int" (las01-050-005:389): Data
required to update replica has been purged. The replica must be
reinitialized.
[22/Feb/2017:23:43:33.109455154 +0000] NSMMReplicationPlugin - windows sync
- agmt="cn=meTolas01-050-005.axi.mtech.int" (las01-050-005:389):
Incremental update failed and requires administrator action

On the Windows Side, we show either DSA is unwilling to perform, or
Insufficient access. We are using the passsync user that was created during
the sync.

02/21/17 15:25:20: PassSync service initialized
02/21/17 15:25:20: PassSync service running
02/21/17 15:25:20: dataFilename is C:\Windows\System32\passhook.dat
02/21/17 15:25:20: 1 new entries loaded from data file
02/21/17 15:25:20: Cleared contents of data file
02/21/17 15:25:20: Password list has 1 entries
02/21/17 15:25:20: Ldap bind error in Connect
53: DSA is unwilling to perform
02/21/17 15:25:20: Attempting to sync password for jeremiah.pedersen
02/21/17 15:25:20: Searching for (uid=jeremiah.pedersen)
02/21/17 15:25:20: Password match, no modify performed: jeremiah.pedersen
02/21/17 15:25:20: Removing password change from list
02/21/17 15:25:20: Password list is empty.  Waiting for passhook event
02/21/17 17:19:42: Received passhook event.  Attempting sync
02/21/17 17:19:42: 1 new entries loaded from data file
02/21/17 17:19:42: Cleared contents of data file
02/21/17 17:19:42: Password list has 1 entries
02/21/17 17:19:42: Ldap bind error in Connect
53: DSA is unwilling to perform
02/21/17 17:19:42: Attempting to sync password for jeremiah
02/21/17 17:19:42: Searching for (uid=jeremiah)
02/21/17 17:19:42: Password match, no modify performed: jeremiah
02/21/17 17:19:42: Removing password change from list
02/21/17 17:19:42: Password list is empty.  Waiting for passhook event
02/22/17 05:05:15: Received passhook event.  Attempting sync
02/22/17 05:05:15: 1 new entries loaded from data file
02/22/17 05:05:15: Cleared contents of data file
02/22/17 05:05:15: Password list has 1 entries
02/22/17 05:05:15: Ldap bind error in Connect
53: DSA is unwilling to perform
02/22/17 05:05:15: Attempting to sync password for ray
02/22/17 05:05:15: Searching for (uid=ray)
02/22/17 05:05:15: Ldap error in ModifyPassword
50: Insufficient access
02/22/17 05:05:15: Modify password failed for remote entry:
uid=ray,cn=users,cn=accounts,dc=lxi,dc=mtech,dc=int
02/22/17 05:05:15: Deferring password change for ray
02/22/17 05:05:15: Backing off for 2000ms
02/22/17 05:05:17: Backoff time expired.  Attempting sync
02/22/17 05:05:17: Password list has 1 entries
02/22/17 05:05:17: Ldap bind error in Connect
53: DSA is unwilling to perform
02/22/17 05:05:17: Attempting to sync password for ray
02/22/17 05:05:17: Searching for (uid=ray)
02/22/17 05:05:17: Ldap error in ModifyPassword
50: Insufficient access
02/22/17 05:05:17: Modify password failed for remote entry:
uid=ray,cn=users,cn=accounts,dc=lxi,dc=mtech,dc=int
02/22/17 05:05:17: Deferring password change for ray
02/22/17 05:05:17: Backing off for 4000ms
02/22/17 05:05:21: Backoff time expired.  Attempting sync
02/22/17 05:05:21: Password list has 1 entries
02/22/17 05:05:21: Ldap bind error in Connect
53: DSA is unwilling to perform
02/22/17 05:05:21: Attempting to sync password for ray
02/22/17 05:05:21: Searching for (uid=ray)
02/22/17 05:05:21: Ldap error in ModifyPassword
50: Insufficient access
02/22/17 05:05:21: Modify password failed for remote entry:
uid=ray,cn=users,cn=accounts,dc=lxi,dc=mtech,dc=int
02/22/17 05:05:21: Deferring password change for ray
02/22/17 05:05:21: Backing off for 8000ms
02/22/17 05:05:29: Backoff time expired.  Attempting sync
02/22/17 05:05:29: Password list has 1 entries
02/22/17 05:05:29: Ldap bind error in Connect
53: DSA is unwilling to perform

Any help would greatly be appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170223/9dec8a89/attachment.htm>

More information about the Freeipa-users mailing list