<html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> <link href="chrome://translator/skin/floatingPanel.css" type="text/css" rel="stylesheet"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hi, I'm running FreeIPA 3.0 under RHEL6.4. I'm seeing some unexpected behaviour with winsync replication. 1. I have a working winsync agreement, and users are synced correctly. 2. If a user already exists in in IPA when I sync it from AD, I'm seeing the following in the dirsrv error logs: [25/Nov/2013:14:29:03 +0000] NSMMReplicationPlugin - windows_update_local_entry: failed to modify entry uid=username,cn=users,cn=accounts,dc=domain,dc=net - error 21:Invalid syntax I assume this is because the user already exists in dirsrv? Fine. 3. Then I remove the corresponding user from IPA and force another sync from AD, hoping that the user will sync properly this time, and thus have its ntUser* attributes created: [25/Nov/2013:14:29:09 +0000] NSMMReplicationPlugin - agmt="cn=meToAD.domain.com" (dc03:389): map_entry_dn_inbound: looking for local entry by uid [username] [25/Nov/2013:14:29:09 +0000] - Windows sync entry: Adding new local entry dn: uid=username,cn=users,cn=accounts,dc=domain,dc=net [25/Nov/2013:14:29:09 +0000] NSMMReplicationPlugin - add operation of entry uid=username,cn=users,cn=accounts,dc=domain,dc=net returned: 21 It's like something (either AD or IPA) remembers that a user have failed once, and then refuse to sync it any more. Removing the winsync agreement and recreating it completely doesn't help. The user is still not synced, and leaves error code 21. Anyone have any idea on why this is, and how I can sync the user even though it has failed once? <div style="bottom: auto; left: 370px; right: auto; top: 56px; display: none;" class="translator-theme-default" id="translator-floating-panel"> <div title="Click to translate" id="translator-floating-panel-button"></div> </div> </body> </html>