Sigbjørn Lie wrote:
On 03/11/2011 09:16 PM, Rob Crittenden wrote:
Sigbjørn Lie wrote:

I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a
sync agreement with Active Directory.

Added CA certificate /root/testing-ca.cer to certificate database for
ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com
The user for the Windows PassSync service is
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready .
. .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica
acquired successfully: Incremental update succeeded: start:
20110311195207Z: end: 20110311195207Z
ipa: INFO: Agreement is ready, starting replication . . .
ipa: INFO: Failed to create public entry for winsync replica
Starting replication, please wait until this has completed.
Update succeeded
Connected '' to ''

Now I can't list the sync agreements. All I get is:

# ipa-replica-manage list
unexpected error: * not found

Any ideas?

Can you try running /us/sbin/ipa-ldap-updater?

The problem is this didn't run at install so the spot in the DIT to
store windows replication agreement info wasn't created, so it
couldn't be added (the Failed to create public entry for winsync
replica part).

Once you've run ipa-ldap-updater you can add the info with something

ldapmodify -x -D 'cn=directory manager' -W

changetype: add
objectclass: nsContainer
objectclass: ipaConfigObject
<add an extra RETURN>

^D to quit


Thank you. I tried this, the ipa-ldap-updater script updated and created
quite a few entries and exited without any errors. I then added the info
as you suggested, also without any errors. However listing replicas
still doesn't work. Actually, running force-sync or re-initialize yells
exactly the same error message.

# ipa-replica-manage list
unexpected error: * not found

Hmm, can you provide the output of (you can send privately if you want):

kinit admin
ldapsearch -Y GSSAPI -b  cn=masters,cn=ipa,cn=etc,dc=ix,dc=testing,dc=com


ldapsearch -Y GSSAPI -b  cn=replicas,cn=ipa,cn=etc,dc=ix,dc=testing,dc=com

There must be an additional entry that wasn't added but I haven't figured out what it is yet.


Freeipa-users mailing list

Reply via email to