[17/May/2016:10:56:53 -0300] - windows_conn_connect :
detected Win2k3 or later peer
[17/May/2016:10:56:53 -0300] NSMMReplicationPlugin - windows
sync - agmt="cn=AD - DF-GTI-DC01" (gti-df-dc01:636): No
linger to cancel on the connection
[17/May/2016:10:56:54 -0300] - _csngen_adjust_local_time:
gen state before 573b22010001:1463493115:0:6
[17/May/2016:10:56:54 -0300] - _csngen_adjust_local_time:
gen state after 573b232c0000:1463493414:0:6
[17/May/2016:10:56:54 -0300] NSMMReplicationPlugin - windows
sync - windows_acquire_replica returned success (101)
[17/May/2016:10:56:54 -0300] NSMMReplicationPlugin - windows
sync - agmt="cn=AD - DF-GTI-DC01" (gti-df-dc01:636): State:
ready_to_acquire_replica -> sending_updates
[17/May/2016:10:56:54 -0300] - csngen_adjust_time: gen state
before 573b232c0001:1463493414:0:6
[17/May/2016:10:56:54 -0300] NSMMReplicationPlugin -
changelog program - _cl5GetDBFile: found DB object 1b9d570
for database
/opt/dirsrv/var/lib/dirsrv/slapd-RNP/changelogdb/169ce382-1b9011e6-91ddc5b4-dc63c95a_55c88d99000000c80000.db
On Tue, May 17, 2016 at 10:08 AM, Alberto Viana
<alberto...@gmail.com <mailto:alberto...@gmail.com>> wrote:
Noriko,
/
/
/Did you use the same version of 389-ds-base against AD
on 2008 R2 and 2012 R2?/
/389-Directory/1.3.4.8 <http://1.3.4.8> B2016.063.1654/
/Please share the output frpm this command line "rpm -q
389-ds-base"?/
*I compiled 389 manually once the package in apt repo is
too old for me (I'm using ubuntu 14.04 LTS). What
specific info do you need?*
*ds-base is 1.3.4.8*
/Does this error message follow some other detailed
error messages? Such as .../
/YOUR_AGREEMENT_NAMEFailed to send %s operation: LDAP
error (ERROR_CODE) ERROR_MESSAGE/
/or /
/YOUR_AGREEMENT: Received error [%s] when attempting to
%s entry [%s]: Please correct the attribute specified in
the error message. Refer to the Windows Active
Directory docs for more information./
/If not, could you enable the replication log level and
share the error log with us?/
*After enable replication log level:*
*[17/May/2016:09:13:18 -0300] - Attempting to add entry
cn=Benedito
Maia,ou=pop-go,ou=POPS,ou=EXTERNOS,ou=RNP,dc=homolog,dc=rnp
to AD for local entry
uid=benedito.maia,ou=pop-go,ou=POPS,ou=EXTERNOS,ou=RNP,dc=homolog,dc=rnp*
*[17/May/2016:09:13:18 -0300] NSMMReplicationPlugin -
windows sync - agmt="cn=AD - DF-GTI-DC01"
(gti-df-dc01:636): Received result code 32 (0000208D:
NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data
0, best match of:
'OU=POPS,OU=EXTERNOS,OU=RNP,DC=homolog,DC=rnp' ) for add
operation *
*[17/May/2016:09:13:18 -0300] NSMMReplicationPlugin -
windows sync - agmt="cn=AD - DF-GTI-DC01"
(gti-df-dc01:636): windows_process_total_add: Cannot
replay add operation.*
*[17/May/2016:09:13:18 -0300] NSMMReplicationPlugin -
windows sync - agmt="cn=AD - DF-GTI-DC01"
(gti-df-dc01:636): Beginning linger on the connection*
*[17/May/2016:09:13:18 -0300] NSMMReplicationPlugin -
windows sync - agmt="cn=AD - DF-GTI-DC01"
(gti-df-dc01:636): windows_tot_run: failed to obtain
data to send to the consumer; LDAP error - 1*
*
*
*Once I do not have the same OU structure on both side
(for testing purposes), I created
"**ou=pop-go,ou=POPS,ou=EXTERNOS,ou=RNP,dc=homolog,dc=rnp"
on AD side and started to get error in another OU that I
have on 389 side but not in AD.*
*
*
*Is that the expected behavior?*
*
*
*PS: In my production environment we use this strategy
that what we dont want to be replicated, just not create
the OU structure and works fine. I never found a better
way to do that like a "exclude list".*
/Could you also share your Windows Sync agreement? Do
you happen to have 2 Directory Servers -- one for 2008R2
and another for 2012R2, could you provide both?/
*Here's my sync agreement:*
*
*
*dn: cn=AD -
DF-GTI-DC01,cn=replica,cn=dc\3Dhomolog\2Cdc\3Drnp,cn=mapping
tree,*
* cn=config*
*objectClass: top*
*objectClass: nsDSWindowsReplicationAgreement*
*description: Sync with HOMOLOG DF-GTI-DC01*
*cn: AD - DF-GTI-DC01*
*nsds7WindowsReplicaSubtree: dc=homolog,dc=rnp*
*nsds7DirectoryReplicaSubtree: dc=homolog,dc=rnp*
*nsds7NewWinUserSyncEnabled: on*
*nsds7NewWinGroupSyncEnabled: on*
*nsds7WindowsDomain: homolog.rnp*
*nsDS5ReplicaRoot: dc=homolog,dc=rnp*
*nsDS5ReplicaHost: gti-df-dc01.homolog.rnp*
*nsDS5ReplicaPort: 636*
*nsDS5ReplicaBindDN: CN=Conta de sincronizacao do AD com
LDAP 389,OU=APLICACOES*
* ,DC=homolog,DC=rnp*
*nsDS5ReplicaTransportInfo: SSL*
*nsDS5ReplicaBindMethod: SIMPLE*
*nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG*
*
RERBNEJDUXhNVEZoWmpjMVlTMDVaakkyTXpBNA0KTnkwNVl6RmxOV1UwWXkxaVpHWTBaVEkwWkFBQ*
*
0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ0FNQytucnM5R09Pbm*
* IrTGc5Q1BURw==}y3eiY+wIKrDUOvz08JXugA==*
*nsds7DirsyncCookie::
TVNEUwMAAABTrjoAO7DRAQAAAAAAAAAAWAAAAMJLBQAAAAAAAAAAAAAAA*
*
ADCSwUAAAAAAOaoLC8LQH5DrKGkZbG6hSgBAAAAAAAAAAMAAAAAAAAAUFu8Kzif9UKPjH3e1siBWw*
*
A5AQAAAAAA5qgsLwtAfkOsoaRlsbqFKMNLBQAAAAAAdqnRrgBktU6JZXBssjxeIesdBQAAAAAA*
*nsds5replicareapactive: 0*
*nsds5replicaLastUpdateStart: 20160517125737Z*
*nsds5replicaLastUpdateEnd: 20160517125737Z*
*nsds5replicaChangesSentSinceStartup:*
*nsds5replicaLastUpdateStatus: 0 Replica acquired
successfully: Incremental upd*
* ate started*
*nsds5replicaUpdateInProgress: FALSE*
*nsds5replicaLastInitStart: 20160517124301Z*
*nsds5replicaLastInitEnd: 20160517125236Z*
*nsds5replicaLastInitStatus: 1 connection error:
operation failure - Total upda*
* te aborted*
*
*
*
*
*In this testing environment, I just have 2012 r2 (I
upgraded all DCs to 2012). Right now, I don't have any
2008 r2 to test. *
*
*
*In my production environment I have:*
*389-ds-base 1.3.2.19 + Windows 2008 r2*
On Mon, May 16, 2016 at 6:02 PM, Noriko Hosoi
<nho...@redhat.com <mailto:nho...@redhat.com>> wrote:
On 05/16/2016 01:01 PM, Alberto Viana wrote:
I'm trying to setup a new scenario with 389 and AD
2012 R2 (So far I'm using with AD 2008 R2 and
everything works fine).
Did you use the same version of 389-ds-base against
AD on 2008 R2 and 2012 R2?
389-Directory/1.3.4.8 <http://1.3.4.8> B2016.063.1654
Please share the output frpm this command line "rpm
-q 389-ds-base"?
Windows 2012 R2 64bits
Both 2008 R2 and 2012 R2 are supported.
:
After configure the AD replication and Initiate a
full sync, it starts to do some entries and I got
the following error:
[16/May/2016:16:36:47 -0300] NSMMReplicationPlugin
- windows sync - agmt="cn=AD - DF-GTI-DC01"
(gti-df-dc01:636): windows_process_total_add:
Cannot replay add operation.
Does this error message follow some other detailed
error messages? Such as ...
YOUR_AGREEMENT_NAMEFailed to send %s operation:
LDAP error (ERROR_CODE) ERROR_MESSAGE
or
YOUR_AGREEMENT: Received error [%s] when
attempting to %s entry [%s]: Please correct the
attribute specified in the error message. Refer
to the Windows Active Directory docs for more
information.
If not, could you enable the replication log level
and share the error log with us?
And after that:
[16/May/2016:16:36:47 -0300] NSMMReplicationPlugin
- windows sync - agmt="cn=AD - DF-GTI-DC01"
(gti-df-dc01:636): Replica has no update vector. It
has never been initialized.
[16/May/2016:16:36:47 -0300] NSMMReplicationPlugin
- windows sync - agmt="cn=AD - DF-GTI-DC01"
(gti-df-dc01:636): Replica has no update vector. It
has never been initialized.
[16/May/2016:16:36:51 -0300] NSMMReplicationPlugin
- windows sync - agmt="cn=AD - DF-GTI-DC01"
(gti-df-dc01:636): Replica has no update vector. It
has never been initialized.
I found a really old ticket that seems to be
related to same error:
https://fedorahosted.org/389/ticket/47589
This is a regression only affected
389-ds-base-1.3.1.x. So, 1.3.4.x does not need the
patch.
but with win2008r2 and fixed.
According to this link ->
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/supported-ad.html
2012 R2 is supported, is that true?
Could you also share your Windows Sync agreement?
Do you happen to have 2 Directory Servers -- one for
2008R2 and another for 2012R2, could you provide both?
Any clues?
--
389-users mailing list
389-users@lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
389-users mailing list
389-users@lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
389-users mailing list
389-users@lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org