<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/25/2013 11:51 AM, Emil Petersson
wrote:<br>
</div>
<blockquote cite="mid:EDC9EBD9-3A79-478A-ACE5-20D493F21857@melt.se"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
On 25 Nov 2013, at 17:21, Rich Megginson <<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>
wrote:<br>
<div><br class="Apple-interchange-newline">
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000" style="font-family:
Helvetica; font-size: 15px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none; white-space:
normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;">
<div class="moz-cite-prefix">On 11/25/2013 08:14 AM, Emil
Petersson wrote:<br>
</div>
<blockquote cite="mid:5293694E.9060606@melt.se" type="cite">Hi,<br>
<br>
I'm running FreeIPA 3.0 under RHEL6.4. I'm seeing some
unexpected behaviour with winsync replication.<br>
<br>
1. I have a working winsync agreement, and users are
synced correctly.<br>
<br>
2. If a user already exists in in IPA when I sync it from
AD, I'm seeing the following in the dirsrv error logs:<br>
<br>
[25/Nov/2013:14:29:03 +0000] NSMMReplicationPlugin -
windows_update_local_entry: failed to modify entry
uid=username,cn=users,cn=accounts,dc=domain,dc=net - error
21:Invalid syntax<br>
<br>
I assume this is because the user already exists in
dirsrv? Fine.<br>
</blockquote>
<br>
No. Error 21 is Invalid Syntax. This means the format of
the data in the attribute in AD is not correct for the given
syntax. For example, if the syntax is Integer, this means
the data should be a valid integer. However, AD allows data
that violates LDAP syntax.<br>
<br>
Can you post the data from the AD entry that corresponds to
uid=username,cn=users,cn=accounts,dc=domain,dc=net? Please
be sure to obscure any sensitive data. I'd like to identify
the data that is causing this problem.<br>
</div>
</blockquote>
<div><br>
</div>
<div>Certainly, here goes:</div>
<div><br>
</div>
<div>
<div>dn: CN=Firstname
Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=</div>
<div> domain,DC=com</div>
<div>objectClass: top</div>
<div>objectClass: person</div>
<div>objectClass: organizationalPerson</div>
<div>objectClass: user</div>
<div>cn: Firstname Lastname</div>
<div>sn: Lastname</div>
<div>title: Sysadmin</div>
<div>description: Employee</div>
<div>physicalDeliveryOfficeName: XX-XX-XX</div>
<div>telephoneNumber: +00 00 000 0</div>
<div>facsimileTelephoneNumber: +00 00 000 0</div>
<div>givenName: Firstname</div>
<div>distinguishedName: CN=Firstname
Lastname,OU=LDAP,OU=Domain,OU=Users,OU=Domain,OU=O</div>
<div> rganization,DC=domain,DC=com</div>
<div>instanceType: 4</div>
<div>whenCreated: 20110321122858.0Z</div>
<div>whenChanged: 20131120104224.0Z</div>
<div>displayName: Firstname Lastname</div>
<div>uSNCreated: 76590</div>
<div> ngame,DC=com</div>
<div>memberOf:
CN=All,OU=OrgGroups,OU=Organization,DC=domain,DC=com</div>
<div>memberOf:
CN=sysadmins,OU=OrgGroups,OU=Organization,DC=domain,DC=com</div>
<div>uSNChanged: 66378160</div>
<div>department: Infrastructure</div>
<div>company: Company name</div>
<div>homeMTA: CN=Microsoft MTA,CN=MBX,CN=Servers,CN=Exchange
Administrative Group (</div>
<div> FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=globalmail,CN=Microsoft Exchange</div>
<div> ,CN=Services,CN=Configuration,DC=domain,DC=com</div>
<div>proxyAddresses: <a class="moz-txt-link-freetext" href="SMTP:first.last@">SMTP:first.last@</a><a moz-do-not-send="true"
href="http://domain.com">domain.com</a></div>
<div>proxyAddresses: <a class="moz-txt-link-freetext" href="smtp:first.last@">smtp:first.last@</a><a moz-do-not-send="true"
href="http://domain2.com">domain2.com</a></div>
<div>proxyAddresses: <a class="moz-txt-link-freetext" href="smtp:first.last@">smtp:first.last@</a><a moz-do-not-send="true"
href="http://domain3.com">domain3.com</a></div>
<div>proxyAddresses: <a moz-do-not-send="true"
href="sip:first.last@domain.com">sip:first.last@domain.com</a></div>
<div>proxyAddresses: X400:C=SE;A=
;P=globalmail;O=Exchange;S=Lastname;G=Firstname;</div>
<div>homeMDB: CN=DB3,CN=SG03 -
2GB,CN=InformationStore,CN=MBX,CN=Servers,CN=Exchang</div>
<div> e Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=globalma</div>
<div> il,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=com</div>
<div>garbageCollPeriod: 1209600</div>
<div>mDBUseDefaults: TRUE</div>
<div>extensionAttribute8: Companyname</div>
<div>mailNickname: username</div>
<div>protocolSettings:: SFRUUMKnMcKnMcKnwqfCp8KnwqfCpw==</div>
<div>protocolSettings:: T1dBwqcx</div>
<div>internetEncoding: 0</div>
<div>name: Firstnam Lastname</div>
<div>objectGUID:: pDdL7yY7gEuqRdQLTjLo0w==</div>
<div>userAccountControl: 512</div>
<div>badPwdCount: 0</div>
<div>codePage: 0</div>
<div>countryCode: 0</div>
<div>homeDirectory: <a moz-do-not-send="true"
href="smb://path/to/home">\\path\to\home</a></div>
<div>homeDrive: H:</div>
<div>badPasswordTime: 130295283826410995</div>
<div>lastLogoff: 0</div>
<div>lastLogon: 130297464093469882</div>
<div>pwdLastSet: 130294130189116476</div>
<div>primaryGroupID: 513</div>
<div>objectSid:: AQUAAAoiadjfojdfojsodijfQkAH5TsrAA==</div>
<div>accountExpires: 0</div>
<div>logonCount: 6909</div>
<div>sAMAccountName: username</div>
<div>sAMAccountType: 805306368</div>
<div>showInAddressBook: CN=Default Global Address List,CN=All
Global Address Lists,</div>
<div> CN=Address Lists Container,CN=globalmail,CN=Microsoft
Exchange,CN=Services,CN</div>
<div> =Configuration,DC=domain,DC=com</div>
<div>showInAddressBook: CN=All Users,CN=All Address
Lists,CN=Address Lists Containe</div>
<div> r,CN=globalmail,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,</div>
<div> DC=com</div>
<div>legacyExchangeDN: /o=globalmail/ou=Exchange
Administrative Group (FYDIBOHF23SP</div>
<div> DLT)/cn=Recipients/cn=username</div>
<div>userPrincipalName: <a moz-do-not-send="true"
href="mailto:first@domain.com">first@domain.com</a></div>
<div>lockoutTime: 0</div>
<div>ipPhone: +00 00 00 00</div>
<div>objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com</div>
<div>dSCorePropagationData: 20131118102944.0Z</div>
<div>dSCorePropagationData: 20131118102934.0Z</div>
<div>dSCorePropagationData: 20130313150036.0Z</div>
<div>dSCorePropagationData: 20120821144903.0Z</div>
<div>dSCorePropagationData: 16010101181216.0Z</div>
<div>lastLogonTimestamp: 130294177442871790</div>
<div>textEncodedORAddress: c=XX;a=
;p=globalmail;o=Exchange;s=Lastname;g=Firstname;</div>
<div>mail: <a moz-do-not-send="true"
href="mailto:first.last@domain.com">first.last@domain.com</a></div>
<div>manager: CN=Manager
Name,OU=Domain,OU=Users,OU=Domain,OU=Organization,DC=o</div>
<div> ngame,DC=com</div>
<div>mobile:: KzQ2NzI3mjMEMTEwwqAJ</div>
<div>thumbnailPhoto::
/9j/4QAYRXhpZgAASUkqAAgAAAAAAAAAAAAAAP/sABFEdWNreQABAAQAAABkA</div>
<div> -snip-</div>
<div> uaC3IbWlp5cQtpnwnCmjkd9LrDoNFIUDThZwzyrwJbl21//9k=</div>
<div>msExchHomeServerName: /o=globalmail/ou=Exchange
Administrative Group (FYDIBOHF</div>
<div> 23SPDLT)/cn=Configuration/cn=Servers/cn=MBX</div>
<div>msExchMailboxSecurityDescriptor::
AQAUjBQAAAAgAAAALAAAAFwAAAABAQAAAAAABQoAAAAB</div>
<div> -snip-</div>
<div> AQAAAAAABQoAAAACADAAAgAAAALQFAADAA0AAQEAAAAAAAEAAAAAAtoUAGsBDQABAQAAAAAAAQAAA</div>
<div>msExchUserAccountControl: 0</div>
<div>msExchMailboxGuid:: uWv8V7HNHUiyda0z/FRc+w==</div>
<div>msExchPoliciesIncluded:
{A64061C3-9598-43A1-9125-B5C682DEDA40},{26491CFC-9E50-</div>
<div> 4857-861B-0CB8DF22B5D7}</div>
<div>msRTCSIP-Line: TEL:+46812136492</div>
<div>msRTCSIP-DeploymentLocator: SRV:</div>
<div>msExchUserCulture: sv-SE,en-US</div>
<div>msExchMobileMailboxFlags: 1</div>
<div>msExchRecipientDisplayType: 1073741824</div>
<div>msExchVersion: 4535486012416</div>
<div>msRTCSIP-FederationEnabled: TRUE</div>
<div>msRTCSIP-PrimaryUserAddress: <a moz-do-not-send="true"
href="sip:first.last@domain.com">sip:first.last@domain.com</a></div>
<div>msExchRecipientTypeDetails: 1</div>
<div>msRTCSIP-InternetAccessEnabled: TRUE</div>
<div>msRTCSIP-UserPolicies: 0=481565286</div>
<div>msExchMDBRulesQuota: 64</div>
<div>msRTCSIP-OptionFlags: 385</div>
<div>msRTCSIP-UserEnabled: TRUE</div>
<div>msRTCSIP-PrimaryHomeServer: CN=Lc
Services,CN=Microsoft,CN=1:1,CN=Pools,CN=RTC</div>
<div> Service,CN=Services,CN=Configuration,DC=domain,DC=com</div>
</div>
<div><br>
</div>
<div>Please note that the same user would sync OK if I hadn't
attempted to sync it earlier when the duplicate IPA entry was
in place. This is the strangest part... once a user is synced
and there's a duplicate in place, we get error 21 and after
that the user will be ignored in future syncs. Even if we
recreate the agreement.</div>
<div><br>
</div>
<div>Question, if a duplicate entry exists in IPA, what's the
expected behaviour? Should the user get synced anyway, or
should it fail?</div>
</div>
</blockquote>
<br>
It should get synced - it should try to update the entry with any
missing or out-of-date information.<br>
<br>
<blockquote cite="mid:EDC9EBD9-3A79-478A-ACE5-20D493F21857@melt.se"
type="cite">
<div>
<div><br>
</div>
<div>Please let me know if you need anything else. Setting
nsslapd-errorlog-level: 8192 more or less says the same
thing... error 21, and then it just moves on. I could provide
you with the debug though, if wanted.</div>
</div>
</blockquote>
<br>
Yes, please.<br>
<br>
<blockquote cite="mid:EDC9EBD9-3A79-478A-ACE5-20D493F21857@melt.se"
type="cite">
<div><br>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000" style="font-family:
Helvetica; font-size: 15px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none; white-space:
normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;"><br>
<blockquote cite="mid:5293694E.9060606@melt.se" type="cite"><br>
3. Then I remove the corresponding user from IPA and force
another sync from AD, hoping that the user will sync
properly this time, and thus have its ntUser* attributes
created:<br>
<br>
[25/Nov/2013:14:29:09 +0000] NSMMReplicationPlugin -
agmt="cn=<a moz-do-not-send="true"
href="http://metoad.domain.com/">meToAD.domain.com</a>"
(dc03:389): map_entry_dn_inbound: looking for local entry
by uid [username]<br>
[25/Nov/2013:14:29:09 +0000] - Windows sync entry:
Adding new local entry dn:
uid=username,cn=users,cn=accounts,dc=domain,dc=net<br>
[25/Nov/2013:14:29:09 +0000] NSMMReplicationPlugin -
add operation of entry
uid=username,cn=users,cn=accounts,dc=domain,dc=net
returned: 21<br>
<br>
It's like something (either AD or IPA) remembers that a
user have failed once, and then refuse to sync it any
more. Removing the winsync agreement and recreating it
completely doesn't help. The user is still not synced, and
leaves error code 21.<br>
<br>
Anyone have any idea on why this is, and how I can sync
the user even though it has failed once?<br>
</blockquote>
</div>
</blockquote>
</div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</body>
</html>