Re: [Freeipa-users] Synchronization Agreements between FreeIPA and AD
Hi Rich! I turned on the log and see the following records [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): State: start_backoff - backoff [13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier RUV: [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - supplier: {replicageneration} 5440f0390003 [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - supplier: {replica 3 ldap://ipa.test-csbi-its.ru:389} 5440f03900010003 5464956e0003 5464956e [13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer RUV: [13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer RUV = null [13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier RUV is newer [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Cancelling linger on the connection [13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time: gen state before 546495820001:1415878018:0:0 [13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time: gen state after 54649586:1415878022:0:0 [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): State: backoff - sending_updates [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Beginning linger on the connection [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): State: sending_updates - start_backoff Best regards, Valeriy On 10/29/2014 03:19 AM, Сапегин Валерий wrote: Yes Dmitri, ldapsearch works good: [root ipa ~]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/ ldapsearch -xLLL -ZZ -h csbi-it-dc01.csbigroup.ru -D cn=ipa-test,cn=users,dc=csbigroup,dc=ru -w t -s base -b cn=users,dc=csbigroup,dc=ru dn: cn=users,dc=csbigroup,dc=ru objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=csbigroup,DC=ru instanceType: 4 ... ... Ok. Now try to do a windows sync with the dirsrv replication error log level - http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting Then we can take a look at the detailed errors. С уважением, Сапегин Валерий 2014-10-23 16:19 GMT+04:00 Сапегин Валерий unitaip gmail com: Hello! I tryed to configure synchronization between FreeIPA and Windows AD 2012. In the thirst time accounts from AD synchronization properly but next schedule after 5 min is not work and in error log I see the following errors: # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. Thirst synchronization out Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to certificate database for ipa.test-csbi-its.ru ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress, 13 seconds elapsed [ipa.test-csbi-its.ru] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server] Failed to start replication FreeIPA server version 3.3.3 OS version Centos 7 AD Domain 2012 Can you help me to resolve this problem? Best regards, Valeriy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Synchronization Agreements between FreeIPA and AD
On 11/13/2014 05:14 AM, Сапегин Валерий wrote: Hi Rich! I turned on the log and see the following records [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): State: start_backoff - backoff [13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier RUV: [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - supplier: {replicageneration} 5440f0390003 [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - supplier: {replica 3 ldap://ipa.test-csbi-its.ru:389 http://ipa.test-csbi-its.ru:389} 5440f03900010003 5464956e0003 5464956e [13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer RUV: [13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer RUV = null [13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier RUV is newer [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Cancelling linger on the connection [13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time: gen state before 546495820001:1415878018:0:0 [13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time: gen state after 54649586:1415878022:0:0 [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): State: backoff - sending_updates [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Beginning linger on the connection [13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): State: sending_updates - start_backoff There is no windows sync trace activity here. You have to first enable the replication log level, then do something that will trigger windows sync activity. Best regards, Valeriy On 10/29/2014 03:19 AM, Сапегин Валерий wrote: Yes Dmitri, ldapsearch works good: [root ipa ~]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/ ldapsearch -xLLL -ZZ -h csbi-it-dc01.csbigroup.ru http://csbi-it-dc01.csbigroup.ru -D cn=ipa-test,cn=users,dc=csbigroup,dc=ru -w t -s base -b cn=users,dc=csbigroup,dc=ru dn: cn=users,dc=csbigroup,dc=ru objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=csbigroup,DC=ru instanceType: 4 ... ... Ok. Now try to do a windows sync with the dirsrv replication error log level - http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting Then we can take a look at the detailed errors. С уважением, Сапегин Валерий 2014-10-23 16:19 GMT+04:00 Сапегин Валерий unitaip gmail com mailto:unitaip%20gmail%20com: Hello! I tryed to configure synchronization between FreeIPA and Windows AD 2012. In the thirst time accounts from AD synchronization properly but next schedule after 5 min is not work and in error log I see the following errors: # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. Thirst synchronization out Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to certificate database for ipa.test-csbi-its.ru http://ipa.test-csbi-its.ru ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress, 13 seconds elapsed [ipa.test-csbi-its.ru http://ipa.test-csbi-its.ru] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't
Re: [Freeipa-users] Synchronization Agreements between FreeIPA and AD
Yes Dmitri, ldapsearch works good: [root@ipa ~]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/ ldapsearch -xLLL -ZZ -h csbi-it-dc01.csbigroup.ru -D cn=ipa-test,cn=users,dc=csbigroup,dc=ru -w t -s base -b cn=users,dc=csbigroup,dc=ru dn: cn=users,dc=csbigroup,dc=ru objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=csbigroup,DC=ru instanceType: 4 ... ... С уважением, Сапегин Валерий 2014-10-23 16:19 GMT+04:00 Сапегин Валерий unit...@gmail.com: Hello! I tryed to configure synchronization between FreeIPA and Windows AD 2012. In the thirst time accounts from AD synchronization properly but next schedule after 5 min is not work and in error log I see the following errors: # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. Thirst synchronization out Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to certificate database for ipa.test-csbi-its.ru ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress, 13 seconds elapsed [ipa.test-csbi-its.ru] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server] Failed to start replication FreeIPA server version 3.3.3 OS version Centos 7 AD Domain 2012 Can you help me to resolve this problem? Best regards, Valeriy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Synchronization Agreements between FreeIPA and AD
On 10/29/2014 03:19 AM, Сапегин Валерий wrote: Yes Dmitri, ldapsearch works good: [root@ipa ~]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/ ldapsearch -xLLL -ZZ -h csbi-it-dc01.csbigroup.ru http://csbi-it-dc01.csbigroup.ru -D cn=ipa-test,cn=users,dc=csbigroup,dc=ru -w t -s base -b cn=users,dc=csbigroup,dc=ru dn: cn=users,dc=csbigroup,dc=ru objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=csbigroup,DC=ru instanceType: 4 ... ... Ok. Now try to do a windows sync with the dirsrv replication error log level - http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting Then we can take a look at the detailed errors. С уважением, Сапегин Валерий 2014-10-23 16:19 GMT+04:00 Сапегин Валерий unit...@gmail.com mailto:unit...@gmail.com: Hello! I tryed to configure synchronization between FreeIPA and Windows AD 2012. In the thirst time accounts from AD synchronization properly but next schedule after 5 min is not work and in error log I see the following errors: # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. Thirst synchronization out Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to certificate database for ipa.test-csbi-its.ru http://ipa.test-csbi-its.ru ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress, 13 seconds elapsed [ipa.test-csbi-its.ru http://ipa.test-csbi-its.ru] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server] Failed to start replication FreeIPA server version 3.3.3 OS version Centos 7 AD Domain 2012 Can you help me to resolve this problem? Best regards, Valeriy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Synchronization Agreements between FreeIPA and AD
Hello! I tryed to configure synchronization between FreeIPA and Windows AD 2012. In the thirst time accounts from AD synchronization properly but next schedule after 5 min is not work and in error log I see the following errors: # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. Thirst synchronization out Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to certificate database for ipa.test-csbi-its.ru ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress, 13 seconds elapsed [ipa.test-csbi-its.ru] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server] Failed to start replication FreeIPA server version 3.3.3 OS version Centos 7 AD Domain 2012 Can you help me to resolve this problem? Best regards, Valeriy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Synchronization Agreements between FreeIPA and AD
On 10/23/2014 10:26 AM, Dmitri Pal wrote: On 10/23/2014 08:19 AM, Сапегин Валерий wrote: Hello! I tryed to configure synchronization between FreeIPA and Windows AD 2012. In the thirst time accounts from AD synchronization properly but next schedule after 5 min is not work and in error log I see the following errors: # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. Thirst synchronization out Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to certificate database for ipa.test-csbi-its.ru http://ipa.test-csbi-its.ru ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress, 13 seconds elapsed [ipa.test-csbi-its.ru http://ipa.test-csbi-its.ru] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server] Can you connect from this replica to AD using ldapsearch? specifically $ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -ZZ -h fqdn.of.windows.machine -D cn=administrator,cn=users,dc=csbigroup,dc=ru -w windows admin password -s base -b cn=users,dc=csbigroup,dc=ru Failed to start replication FreeIPA server version 3.3.3 OS version Centos 7 AD Domain 2012 Can you help me to resolve this problem? Best regards, Valeriy -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project