Re: [Freeipa-users] Synchronization Agreements between FreeIPA and AD

Thu, 13 Nov 2014 06:26:23 -0800 

On 11/13/2014 05:14 AM, Сапегин Валерий wrote:

Hi Rich!

I turned on the log and see the following records
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=meTocsbi-it-dc01.csbigroup.ru <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389): State: start_backoff -> backoff 
[13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier RUV:
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - supplier: {replicageneration} 5440f039000000030000 [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - supplier: {replica 3 ldap://ipa.test-csbi-its.ru:389 <http://ipa.test-csbi-its.ru:389>} 5440f039000100030000 5464956e000000030000 5464956e 
[13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer RUV:
[13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer RUV = null
[13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier RUV is newer
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=meTocsbi-it-dc01.csbigroup.ru <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389): Cancelling linger on the connection [13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time: gen state before 546495820001:1415878018:0:0 [13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time: gen state after 546495860000:1415878022:0:0 [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=meTocsbi-it-dc01.csbigroup.ru <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389): State: backoff -> sending_updates [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=meTocsbi-it-dc01.csbigroup.ru <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=meTocsbi-it-dc01.csbigroup.ru <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389): Beginning linger on the connection [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt="cn=meTocsbi-it-dc01.csbigroup.ru <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389): State: sending_updates -> start_backoff
There is no windows sync trace activity here. You have to first enable the replication log level, then do something that will trigger windows sync activity. 


Best regards, Valeriy



On 10/29/2014 03:19 AM, Сапегин Валерий wrote:

Yes Dmitri, ldapsearch works good:
[root ipa ~]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/ ldapsearch -xLLL -ZZ -h csbi-it-dc01.csbigroup.ru <http://csbi-it-dc01.csbigroup.ru> -D "cn=ipa-test,cn=users,dc=csbigroup,dc=ru" -w "ttttttttt" -s base -b "cn=users,dc=csbigroup,dc=ru" 
dn: cn=users,dc=csbigroup,dc=ru
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=csbigroup,DC=ru
instanceType: 4
...
...
Ok. Now try to do a windows sync with the dirsrv replication error log level - http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting 

Then we can take a look at the detailed errors.



С уважением, Сапегин Валерий
2014-10-23 16:19 GMT+04:00 Сапегин Валерий <unitaip gmail com <mailto:unitaip%20gmail%20com>>: 

    Hello!

    I tryed to configure synchronization between FreeIPA and  Windows
    AD 2012. In the thirst time accounts from AD synchronization
    properly but next schedule after 5 min is not work and in error
    log I see the following errors:

    # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors
    [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin -
    agmt="cn=meTocsbi-it-dc01.csbigroup.ru
    <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389):
    Replica has no update vector. It has never been initialized.
    [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin -
    agmt="cn=meTocsbi-it-dc01.csbigroup.ru
    <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389):
    Replica has no update vector. It has never been initialized.
    [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin -
    agmt="cn=meTocsbi-it-dc01.csbigroup.ru
    <http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389):
    Replica has no update vector. It has never been initialized.

    Thirst synchronization out

    Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to
    certificate database for ipa.test-csbi-its.ru
    <http://ipa.test-csbi-its.ru>
    ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru
    The user for the Windows PassSync service is
    uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru
    Windows PassSync entry exists, not resetting password
    ipa: INFO: Added new sync agreement, waiting for it to become
    ready . . .
    ipa: INFO: Replication Update in progress: FALSE: status: 0
    Replica acquired successfully: Incremental update started: start:
    0: end: 0
    ipa: INFO: Agreement is ready, starting replication . . .
    Starting replication, please wait until this has completed.
    Update in progress, 13 seconds elapsed
    [ipa.test-csbi-its.ru <http://ipa.test-csbi-its.ru>] reports:
    Update failed! Status: [-1 Total update abortedLDAP error: Can't
    contact LDAP server]

    Failed to start replication



    FreeIPA server version 3.3.3
    OS version Centos 7
    AD Domain 2012

    Can you help me to resolve this problem?

    Best regards, Valeriy









-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to