Thank you, good point. So replication looks functional. In log replication can be seen, that it is because of some constrains or acl with missing "sn" and class "person" in FreeIPA. Would you advise me some quick fix how to solve it, before i go to search solution on Google? Many thanks.
``` Oct 21 16:49:23 freeipa ns-slapd[505388]: [21/Oct/2021:16:49:23.043764909 +0200] - DEBUG - NSMMReplicationPlugin - windows sync - windows_search_entry_ext - Calling windows entry search request plugin Oct 21 16:49:23 freeipa ns-slapd[505388]: [21/Oct/2021:16:49:23.045659343 +0200] - DEBUG - NSMMReplicationPlugin - windows sync - windows_search_entry_ext - Received 2 messages, 1 entries, 0 references Oct 21 16:49:23 freeipa ns-slapd[505388]: [21/Oct/2021:16:49:23.046996422 +0200] - DEBUG - NSMMReplicationPlugin - windows sync - Windows sync entry: Adding new local entry dn: uid=aftersync,cn=users,cn=accounts,dc=TEST,dc=local Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: top Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: person Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: organizationalperson Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: inetOrgPerson Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: ntUser Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: inetuser Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: posixaccount Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: krbprincipalaux Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: krbticketpolicyaux Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: ipaobject Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: ipasshuser Oct 21 16:49:23 freeipa ns-slapd[505388]: ntUserDeleteAccount: true Oct 21 16:49:23 freeipa ns-slapd[505388]: givenName: aftersync Oct 21 16:49:23 freeipa ns-slapd[505388]: cn: aftersync Oct 21 16:49:23 freeipa ns-slapd[505388]: ntUserCodePage: 0 Oct 21 16:49:23 freeipa ns-slapd[505388]: ntUserAcctExpires: 9223372036854775807 Oct 21 16:49:23 freeipa ns-slapd[505388]: ntUserDomainId: aftersync Oct 21 16:49:23 freeipa ns-slapd[505388]: ntUniqueId: 49a79ee9a4d23141be5be5508b1cfe85 Oct 21 16:49:23 freeipa ns-slapd[505388]: uidNumber: -1 Oct 21 16:49:23 freeipa ns-slapd[505388]: gidNumber: -1 Oct 21 16:49:23 freeipa ns-slapd[505388]: uid: aftersync Oct 21 16:49:23 freeipa ns-slapd[505388]: krbPrincipalName: [email protected] Oct 21 16:49:23 freeipa ns-slapd[505388]: homeDirectory: /home/aftersync Oct 21 16:49:23 freeipa ns-slapd[505388]: gecos: aftersync Oct 21 16:49:23 freeipa ns-slapd[505388]: loginShell: /bin/sh Oct 21 16:49:23 freeipa ns-slapd[505388]: [21/Oct/2021:16:49:23.050298341 +0200] - ERR - oc_check_required - Entry "uid=aftersync,cn=users,cn=accounts,dc=TEST,dc=local" missing attribute "sn" required by object class "person" Oct 21 16:49:23 freeipa ns-slapd[505388]: [21/Oct/2021:16:49:23.053613451 +0200] - DEBUG - replication - multimaster_mmr_postop - error 0 for operation 560. ``` st 20. 10. 2021 v 16:40 odesÃlatel Rob Crittenden <[email protected]> napsal: > Zdenek Sobotka via FreeIPA-users wrote: > > Hello, > > I would need advice on setting up account synchronization between > > Windows10 testing instance with AD and FREEIPA. > > I successfully imported CA certificates for trust between AD and > > FREEIPA, ran ldapsearch, which I can use to read information from > > Windows AD. > > Now I want to synchronize data accounts from AD to FREEIPA, using > > "ipa-replica-manage connect --winsync". > > In debug mode, I see that the synchronization is established, and also > > there is an attempt with data replication. > > Finally in the end, is written that the replica update "passed > > successfully". But no AD data was added, when I looked into FREEIPA. > > > > Here is the log: > > > > ``` > > [root@freeipa ~]# ipa-replica-manage connect -d --verbose --winsync > > --no-lookup --binddn="cn=Administrator,cn=Users,dc=ngov,dc=local" > > --bindpw="H3sl0123456." --cacert=/etc/ipa/ca.crt > > --passsync="TESTTEST111" WIN-7G3BH6KDDHU.ngov.local > > > > Directory Manager password: > > > > ipa: DEBUG: Created connection context.ldap2_140493289808392 > > ipa: DEBUG: Loading StateFile from > > '/var/lib/ipa/sysrestore/sysrestore.state' > > ipa: DEBUG: Loading Index file from > > '/var/lib/ipa/sysrestore/sysrestore.index' > > ipa: DEBUG: Destroyed connection context.ldap2_140493289808392 > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args=['/bin/systemctl', 'stop', '[email protected]'] > > ipa: DEBUG: Process finished, return code=0 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr= > > ipa: DEBUG: Stop of [email protected] complete > > ipa: DEBUG: Loading Index file from > > '/var/lib/ipa/sysrestore/sysrestore.index' > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args=['/usr/bin/certutil', '-d', > > 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', 'CN=Certificate > > Authority,O=TEST.LOCAL', '-t', 'C,,', '-a', '-f', > > '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] > > ipa: DEBUG: Process finished, return code=0 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr= > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args=['/usr/bin/certutil', '-d', > > 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', > > 'CN=WIN-7G3BH6KDDHU.ngov.local', '-t', 'C,,', '-a', '-f', > > '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] > > ipa: DEBUG: Process finished, return code=0 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr= > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args=['/usr/bin/certutil', '-d', > > 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', > > 'CN=ngov-WIN-7G3BH6KDDHU-CA,DC=ngov,DC=local', '-t', 'C,,', '-a', '-f', > > '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] > > ipa: DEBUG: Process finished, return code=0 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr= > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args=['/bin/systemctl', 'start', '[email protected] > '] > > ipa: DEBUG: Process finished, return code=0 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr= > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args=['/bin/systemctl', 'is-active', > > '[email protected]'] > > ipa: DEBUG: Process finished, return code=0 > > ipa: DEBUG: stdout=active > > > > ipa: DEBUG: stderr= > > ipa: DEBUG: wait_for_open_ports: localhost [389] timeout 120 > > ipa: DEBUG: waiting for port: 389 > > ipa: DEBUG: SUCCESS: port: 389 > > ipa: DEBUG: Start of [email protected] complete > > ipa: DEBUG: Created connection context.ldap2_140493289808392 > > Added CA certificate /etc/ipa/ca.crt to certificate database for > > freeipa.TEST.local > > ipa: INFO: AD Suffix is: DC=ngov,DC=local > > ipa: DEBUG: retrieving schema for SchemaCache > > url=ldaps://freeipa.TEST.local:636 > > conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fc7249c2c88> > > ipa: DEBUG: Add or update replica config > > cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping tree,cn=config > > ipa: DEBUG: No update to cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping > > tree,cn=config necessary > > The user for the Windows PassSync service is > > uid=passsync,cn=sysaccounts,cn=etc,dc=TEST,dc=local > > Windows PassSync system account exists, not resetting password > > ipa: DEBUG: Plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config' already > > 'uid=passsync,cn=sysaccounts,cn=etc,dc=TEST,dc=local' in > passSyncManagersDNs > > ipa: DEBUG: Waiting up to 300 seconds for replication > > (ldaps://freeipa.TEST.local:636) > > > cn=meToWIN-7G3BH6KDDHU.ngov.local,cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping > > tree,cn=config (objectclass=*) > > ipa: DEBUG: Entry found > > > [LDAPEntry(ipapython.dn.DN('cn=meToWIN-7G3BH6KDDHU.ngov.local,cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping > > tree,cn=config'), {'objectClass': [b'nsDSWindowsReplicationAgreement', > > b'top'], 'cn': [b'meToWIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicaHost': > > [b'WIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicaPort': [b'389'], > > 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': > > [b'dc=TEST,dc=local'], 'description': [b'me to > > WIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicatedAttributeList': > > [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn > > krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], > > 'nsDS5ReplicaBindDN': [b'cn=Administrator,cn=Users,dc=ngov,dc=local'], > > 'nsDS5ReplicaTransportInfo': [b'TLS'], 'nsDS5ReplicaBindMethod': > > [b'simple'], 'nsds7WindowsReplicaSubtree': > > [b'cn=Users,DC=ngov,DC=local'], 'nsds7DirectoryReplicaSubtree': > > [b'cn=users,cn=accounts,dc=TEST,dc=local'], > > 'nsds7NewWinUserSyncEnabled': [b'true'], 'nsds7NewWinGroupSyncEnabled': > > [b'false'], 'nsds7WindowsDomain': [b'TEST.local'], > > 'nsDS5ReplicaCredentials': > > > [b'{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUTVaRGxoTVRJNFpDMHhOVGt6TTJZNQ0KTmkwNU9HTTBNR0ZtTXkxaE56TTJaakUwTWdBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCRGJXVlFqdEZEY3k1RjFYTEMwT1V2TA==}gjvpjBG5R/xt7jkO7XzRPg=='], > > 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': > > [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], > > 'nsds5replicaChangesSentSinceStartup': [b''], > > 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions > > started since server startup'], 'nsds5replicaLastUpdateStatusJSON': > > [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", > > "repl_rc": "0", "repl_rc_text": "replica acquired", "date": > > "2021-10-20T10:36:28Z", "message": "Error (0) No replication sessions > > started since server startup"}'], 'nsds5replicaUpdateInProgress': > > [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], > > 'nsds5replicaLastInitEnd': [b'19700101000000Z']})] > > ipa: INFO: Added new sync agreement, waiting for it to become ready . . . > > ipa: INFO: Replication Update in progress: FALSE: status: Error (0) > > Replica acquired successfully: Incremental update started: start: > > 20211020103628: end: 20211020103628 > > ipa: INFO: Agreement is ready, starting replication . . . > > ipa: WARNING: This configuration ("--winsync") may imply that the log > > file contains clear text passwords. > > Please ensure that these files can be accessed only by trusted accounts. > > Log files are under /var/lib/dirsrv/slapd-TEST-LOCAL/cldb > > Starting replication, please wait until this has completed. > > > > Update succeeded > > > > Connected 'freeipa.TEST.local' to 'WIN-7G3BH6KDDHU.ngov.local' > > ipa: DEBUG: Destroyed connection context.ldap2_140493289808392 > > [root@freeipa ~]# > > ``` > > > > I will be happy for any helpful advice. Thanks. > > I'd suggest enabling replication debugging to see what is going on: > https://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting > > rob > > -- -------------------------------------------------------------------------------------------------- email: [email protected]
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
