I have installed a new replica in our IPA domain and configured it to do a winsync with Windows 2012R2. It creates the agreement but then after a while it dies. It appears something isn't configured just right. The Windows client is using the passync user on my side, and i'm creating the sync using a windows account that has the appopriate permissions.
This is what I see after about 10 minutes of the sync running from the server side. [22/Feb/2017:23:43:33.103632587 +0000] agmt="cn= meTolas01-050-005.axi.mtech.int" (las01-050-005:389) - Can't locate CSN 58ae2255000000180000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [22/Feb/2017:23:43:33.105866800 +0000] NSMMReplicationPlugin - changelog program - agmt="cn=meTolas01-050-005.axi.mtech.int" (las01-050-005:389): CSN 58ae2255000000180000 not found, we aren't as up to date, or we purged [22/Feb/2017:23:43:33.107971862 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTolas01-050-005.axi.mtech.int" (las01-050-005:389): Data required to update replica has been purged. The replica must be reinitialized. [22/Feb/2017:23:43:33.109455154 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTolas01-050-005.axi.mtech.int" (las01-050-005:389): Incremental update failed and requires administrator action On the Windows Side, we show either DSA is unwilling to perform, or Insufficient access. We are using the passsync user that was created during the sync. 02/21/17 15:25:20: PassSync service initialized 02/21/17 15:25:20: PassSync service running 02/21/17 15:25:20: dataFilename is C:\Windows\System32\passhook.dat 02/21/17 15:25:20: 1 new entries loaded from data file 02/21/17 15:25:20: Cleared contents of data file 02/21/17 15:25:20: Password list has 1 entries 02/21/17 15:25:20: Ldap bind error in Connect 53: DSA is unwilling to perform 02/21/17 15:25:20: Attempting to sync password for jeremiah.pedersen 02/21/17 15:25:20: Searching for (uid=jeremiah.pedersen) 02/21/17 15:25:20: Password match, no modify performed: jeremiah.pedersen 02/21/17 15:25:20: Removing password change from list 02/21/17 15:25:20: Password list is empty. Waiting for passhook event 02/21/17 17:19:42: Received passhook event. Attempting sync 02/21/17 17:19:42: 1 new entries loaded from data file 02/21/17 17:19:42: Cleared contents of data file 02/21/17 17:19:42: Password list has 1 entries 02/21/17 17:19:42: Ldap bind error in Connect 53: DSA is unwilling to perform 02/21/17 17:19:42: Attempting to sync password for jeremiah 02/21/17 17:19:42: Searching for (uid=jeremiah) 02/21/17 17:19:42: Password match, no modify performed: jeremiah 02/21/17 17:19:42: Removing password change from list 02/21/17 17:19:42: Password list is empty. Waiting for passhook event 02/22/17 05:05:15: Received passhook event. Attempting sync 02/22/17 05:05:15: 1 new entries loaded from data file 02/22/17 05:05:15: Cleared contents of data file 02/22/17 05:05:15: Password list has 1 entries 02/22/17 05:05:15: Ldap bind error in Connect 53: DSA is unwilling to perform 02/22/17 05:05:15: Attempting to sync password for ray 02/22/17 05:05:15: Searching for (uid=ray) 02/22/17 05:05:15: Ldap error in ModifyPassword 50: Insufficient access 02/22/17 05:05:15: Modify password failed for remote entry: uid=ray,cn=users,cn=accounts,dc=lxi,dc=mtech,dc=int 02/22/17 05:05:15: Deferring password change for ray 02/22/17 05:05:15: Backing off for 2000ms 02/22/17 05:05:17: Backoff time expired. Attempting sync 02/22/17 05:05:17: Password list has 1 entries 02/22/17 05:05:17: Ldap bind error in Connect 53: DSA is unwilling to perform 02/22/17 05:05:17: Attempting to sync password for ray 02/22/17 05:05:17: Searching for (uid=ray) 02/22/17 05:05:17: Ldap error in ModifyPassword 50: Insufficient access 02/22/17 05:05:17: Modify password failed for remote entry: uid=ray,cn=users,cn=accounts,dc=lxi,dc=mtech,dc=int 02/22/17 05:05:17: Deferring password change for ray 02/22/17 05:05:17: Backing off for 4000ms 02/22/17 05:05:21: Backoff time expired. Attempting sync 02/22/17 05:05:21: Password list has 1 entries 02/22/17 05:05:21: Ldap bind error in Connect 53: DSA is unwilling to perform 02/22/17 05:05:21: Attempting to sync password for ray 02/22/17 05:05:21: Searching for (uid=ray) 02/22/17 05:05:21: Ldap error in ModifyPassword 50: Insufficient access 02/22/17 05:05:21: Modify password failed for remote entry: uid=ray,cn=users,cn=accounts,dc=lxi,dc=mtech,dc=int 02/22/17 05:05:21: Deferring password change for ray 02/22/17 05:05:21: Backing off for 8000ms 02/22/17 05:05:29: Backoff time expired. Attempting sync 02/22/17 05:05:29: Password list has 1 entries 02/22/17 05:05:29: Ldap bind error in Connect 53: DSA is unwilling to perform Any help would greatly be appreciated.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
