The jist is your AD users must have both a first and a last name. In this case the entry isn't added because it isn't legal in IPA because it lacks the surname (sn), or last name, attribute.
rob Zdenek Sobotka wrote: > Thank you, good point. > So replication looks functional. In log replication can be seen, that it > is because of some constrains or acl with missing "sn" and class > "person" in FreeIPA. > Would you advise me some quick fix how to solve it, before i go to > search solution on Google? > Many thanks. > > ``` > Oct 21 16:49:23 freeipa ns-slapd[505388]: > [21/Oct/2021:16:49:23.043764909 +0200] - DEBUG - NSMMReplicationPlugin - > windows sync - windows_search_entry_ext - Calling windows entry search > request plugin > Oct 21 16:49:23 freeipa ns-slapd[505388]: > [21/Oct/2021:16:49:23.045659343 +0200] - DEBUG - NSMMReplicationPlugin - > windows sync - windows_search_entry_ext - Received 2 messages, 1 > entries, 0 references > Oct 21 16:49:23 freeipa ns-slapd[505388]: > [21/Oct/2021:16:49:23.046996422 +0200] - DEBUG - NSMMReplicationPlugin - > windows sync - Windows sync entry: Adding new local entry dn: > uid=aftersync,cn=users,cn=accounts,dc=TEST,dc=local > Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: top > Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: person > Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: organizationalperson > Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: inetOrgPerson > Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: ntUser > Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: inetuser > Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: posixaccount > Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: krbprincipalaux > Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: krbticketpolicyaux > Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: ipaobject > Oct 21 16:49:23 freeipa ns-slapd[505388]: objectclass: ipasshuser > Oct 21 16:49:23 freeipa ns-slapd[505388]: ntUserDeleteAccount: true > Oct 21 16:49:23 freeipa ns-slapd[505388]: givenName: aftersync > Oct 21 16:49:23 freeipa ns-slapd[505388]: cn: aftersync > Oct 21 16:49:23 freeipa ns-slapd[505388]: ntUserCodePage: 0 > Oct 21 16:49:23 freeipa ns-slapd[505388]: ntUserAcctExpires: > 9223372036854775807 > Oct 21 16:49:23 freeipa ns-slapd[505388]: ntUserDomainId: aftersync > Oct 21 16:49:23 freeipa ns-slapd[505388]: ntUniqueId: > 49a79ee9a4d23141be5be5508b1cfe85 > Oct 21 16:49:23 freeipa ns-slapd[505388]: uidNumber: -1 > Oct 21 16:49:23 freeipa ns-slapd[505388]: gidNumber: -1 > Oct 21 16:49:23 freeipa ns-slapd[505388]: uid: aftersync > Oct 21 16:49:23 freeipa ns-slapd[505388]: krbPrincipalName: > [email protected] > Oct 21 16:49:23 freeipa ns-slapd[505388]: homeDirectory: /home/aftersync > Oct 21 16:49:23 freeipa ns-slapd[505388]: gecos: aftersync > Oct 21 16:49:23 freeipa ns-slapd[505388]: loginShell: /bin/sh > Oct 21 16:49:23 freeipa ns-slapd[505388]: > [21/Oct/2021:16:49:23.050298341 +0200] - ERR - oc_check_required - Entry > "uid=aftersync,cn=users,cn=accounts,dc=TEST,dc=local" missing attribute > "sn" required by object class "person" > Oct 21 16:49:23 freeipa ns-slapd[505388]: > [21/Oct/2021:16:49:23.053613451 +0200] - DEBUG - replication - > multimaster_mmr_postop - error 0 for operation 560. > ``` > > st 20. 10. 2021 v 16:40 odesílatel Rob Crittenden <[email protected] > <mailto:[email protected]>> napsal: > > Zdenek Sobotka via FreeIPA-users wrote: > > Hello, > > I would need advice on setting up account synchronization between > > Windows10 testing instance with AD and FREEIPA. > > I successfully imported CA certificates for trust between AD and > > FREEIPA, ran ldapsearch, which I can use to read information from > > Windows AD. > > Now I want to synchronize data accounts from AD to FREEIPA, using > > "ipa-replica-manage connect --winsync". > > In debug mode, I see that the synchronization is established, and also > > there is an attempt with data replication. > > Finally in the end, is written that the replica update "passed > > successfully". But no AD data was added, when I looked into FREEIPA. > > > > Here is the log: > > > > ``` > > [root@freeipa ~]# ipa-replica-manage connect -d --verbose --winsync > > --no-lookup --binddn="cn=Administrator,cn=Users,dc=ngov,dc=local" > > --bindpw="H3sl0123456." --cacert=/etc/ipa/ca.crt > > --passsync="TESTTEST111" WIN-7G3BH6KDDHU.ngov.local > > > > Directory Manager password: > > > > ipa: DEBUG: Created connection context.ldap2_140493289808392 > > ipa: DEBUG: Loading StateFile from > > '/var/lib/ipa/sysrestore/sysrestore.state' > > ipa: DEBUG: Loading Index file from > > '/var/lib/ipa/sysrestore/sysrestore.index' > > ipa: DEBUG: Destroyed connection context.ldap2_140493289808392 > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args=['/bin/systemctl', 'stop', > '[email protected]'] > > ipa: DEBUG: Process finished, return code=0 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr= > > ipa: DEBUG: Stop of [email protected] complete > > ipa: DEBUG: Loading Index file from > > '/var/lib/ipa/sysrestore/sysrestore.index' > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args=['/usr/bin/certutil', '-d', > > 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', 'CN=Certificate > > Authority,O=TEST.LOCAL', '-t', 'C,,', '-a', '-f', > > '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] > > ipa: DEBUG: Process finished, return code=0 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr= > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args=['/usr/bin/certutil', '-d', > > 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', > > 'CN=WIN-7G3BH6KDDHU.ngov.local', '-t', 'C,,', '-a', '-f', > > '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] > > ipa: DEBUG: Process finished, return code=0 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr= > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args=['/usr/bin/certutil', '-d', > > 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', > > 'CN=ngov-WIN-7G3BH6KDDHU-CA,DC=ngov,DC=local', '-t', 'C,,', '-a', > '-f', > > '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] > > ipa: DEBUG: Process finished, return code=0 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr= > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args=['/bin/systemctl', 'start', > '[email protected]'] > > ipa: DEBUG: Process finished, return code=0 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr= > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args=['/bin/systemctl', 'is-active', > > '[email protected]'] > > ipa: DEBUG: Process finished, return code=0 > > ipa: DEBUG: stdout=active > > > > ipa: DEBUG: stderr= > > ipa: DEBUG: wait_for_open_ports: localhost [389] timeout 120 > > ipa: DEBUG: waiting for port: 389 > > ipa: DEBUG: SUCCESS: port: 389 > > ipa: DEBUG: Start of [email protected] complete > > ipa: DEBUG: Created connection context.ldap2_140493289808392 > > Added CA certificate /etc/ipa/ca.crt to certificate database for > > freeipa.TEST.local > > ipa: INFO: AD Suffix is: DC=ngov,DC=local > > ipa: DEBUG: retrieving schema for SchemaCache > > url=ldaps://freeipa.TEST.local:636 > > conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fc7249c2c88> > > ipa: DEBUG: Add or update replica config > > cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping tree,cn=config > > ipa: DEBUG: No update to cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping > > tree,cn=config necessary > > The user for the Windows PassSync service is > > uid=passsync,cn=sysaccounts,cn=etc,dc=TEST,dc=local > > Windows PassSync system account exists, not resetting password > > ipa: DEBUG: Plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config' already > > 'uid=passsync,cn=sysaccounts,cn=etc,dc=TEST,dc=local' in > passSyncManagersDNs > > ipa: DEBUG: Waiting up to 300 seconds for replication > > (ldaps://freeipa.TEST.local:636) > > > > cn=meToWIN-7G3BH6KDDHU.ngov.local,cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping > > tree,cn=config (objectclass=*) > > ipa: DEBUG: Entry found > > > > [LDAPEntry(ipapython.dn.DN('cn=meToWIN-7G3BH6KDDHU.ngov.local,cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping > > tree,cn=config'), {'objectClass': [b'nsDSWindowsReplicationAgreement', > > b'top'], 'cn': [b'meToWIN-7G3BH6KDDHU.ngov.local'], > 'nsDS5ReplicaHost': > > [b'WIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicaPort': [b'389'], > > 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': > > [b'dc=TEST,dc=local'], 'description': [b'me to > > WIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicatedAttributeList': > > [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn > > krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], > > 'nsDS5ReplicaBindDN': [b'cn=Administrator,cn=Users,dc=ngov,dc=local'], > > 'nsDS5ReplicaTransportInfo': [b'TLS'], 'nsDS5ReplicaBindMethod': > > [b'simple'], 'nsds7WindowsReplicaSubtree': > > [b'cn=Users,DC=ngov,DC=local'], 'nsds7DirectoryReplicaSubtree': > > [b'cn=users,cn=accounts,dc=TEST,dc=local'], > > 'nsds7NewWinUserSyncEnabled': [b'true'], > 'nsds7NewWinGroupSyncEnabled': > > [b'false'], 'nsds7WindowsDomain': [b'TEST.local'], > > 'nsDS5ReplicaCredentials': > > > > [b'{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUTVaRGxoTVRJNFpDMHhOVGt6TTJZNQ0KTmkwNU9HTTBNR0ZtTXkxaE56TTJaakUwTWdBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCRGJXVlFqdEZEY3k1RjFYTEMwT1V2TA==}gjvpjBG5R/xt7jkO7XzRPg=='], > > 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': > > [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': > [b'19700101000000Z'], > > 'nsds5replicaChangesSentSinceStartup': [b''], > > 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions > > started since server startup'], 'nsds5replicaLastUpdateStatusJSON': > > [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", > > "repl_rc": "0", "repl_rc_text": "replica acquired", "date": > > "2021-10-20T10:36:28Z", "message": "Error (0) No replication sessions > > started since server startup"}'], 'nsds5replicaUpdateInProgress': > > [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], > > 'nsds5replicaLastInitEnd': [b'19700101000000Z']})] > > ipa: INFO: Added new sync agreement, waiting for it to become > ready . . . > > ipa: INFO: Replication Update in progress: FALSE: status: Error (0) > > Replica acquired successfully: Incremental update started: start: > > 20211020103628: end: 20211020103628 > > ipa: INFO: Agreement is ready, starting replication . . . > > ipa: WARNING: This configuration ("--winsync") may imply that the log > > file contains clear text passwords. > > Please ensure that these files can be accessed only by trusted > accounts. > > Log files are under /var/lib/dirsrv/slapd-TEST-LOCAL/cldb > > Starting replication, please wait until this has completed. > > > > Update succeeded > > > > Connected 'freeipa.TEST.local' to 'WIN-7G3BH6KDDHU.ngov.local' > > ipa: DEBUG: Destroyed connection context.ldap2_140493289808392 > > [root@freeipa ~]# > > ``` > > > > I will be happy for any helpful advice. Thanks. > > I'd suggest enabling replication debugging to see what is going on: > https://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting > > rob > > > > -- > -------------------------------------------------------------------------------------------------- > email: [email protected] <mailto:[email protected]> > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
