> On 06/08/2015 10:18 AM, nat...@nathanpeters.com wrote: > This looks like incremental update is successful . . . > >> nsds5replicaUpdateInProgress: FALSE >> nsds5replicaLastInitStart: 0 >> nsds5replicaLastInitEnd: 0 > > . . . but this indicates that the sync agreement has never been > initialized, which would also correspond to the errors below. I'm > really puzzled as to how sync could possibly work if it has never been > initialized. And I'm also not sure how you could have created the sync > agreement using the IPA command line tools without initializing the > agreement. AFAIK, the only way to get rid of the errors is to > reinitialize http://linux.die.net/man/1/ipa-replica-manage
OK, more troubleshooting and I think I discovered the problem. Making the sync agreement into a one way sync from windows to ipa seems to break the agreement by uninitializing it? Not sure how to fix this, but here is the logs to prove that is the step that is breaking it. ============================ try to create sync agreement ============================ [root@dc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net" --bindpw <secret> --passsync <secret> --cacert /etc/openldap/cacerts/addomain.cer officedc2.office.addomain.net --win-subtree "OU=Staff,DC=office,DC=addomain,DC=net" -v Directory Manager password: winsync agreement already exists on subtree OU=Staff,DC=office,DC=addomain,DC=net ================================= failed because it already existed so disconnect ================================= [root@dc1 ~]# ipa-replica-manage disconnect officedc2.office.addomain.net Directory Manager password: Deleted replication agreement from 'dc1.ipadomain.net' to 'officedc2.office.addomain.net' ============================ try to create sync agreement ============================ [root@dc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net" --bindpw a5Ryj2N4EAvjFLJelWOQ --passsync MVQXHEturhjqoFXGvUcH --cacert /etc/openldap/cacerts/addomain.cer officedc2.office.addomain.net --win-subtree "OU=Staff,DC=office,DC=addomain,DC=net" -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/addomain.cer to certificate database for dc1.ipadomain.net ipa: INFO: AD Suffix is: DC=office,DC=addomain,DC=net The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress, 57 seconds elapsed Update succeeded Connected 'dc1.ipadomain.net' to 'officedc2.office.addomain.net' ===================================== confirm that init values are non zero ===================================== [root@dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config Enter LDAP Password: ldap_bind: Invalid credentials (49) [root@dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config objectclass=nsDSWindowsReplicationAgreement Enter LDAP Password: dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain \2Cdc\3Dnet,cn=mapping tree,cn=config nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net cn: meToofficedc2.office.addomain.net nsds7NewWinGroupSyncEnabled: false objectClass: nsDSWindowsReplicationAgreement objectClass: top nsDS5ReplicaTransportInfo: TLS description: me to officedc2.office.addomain.net nsDS5ReplicaRoot: dc=ipadomain,dc=net nsDS5ReplicaHost: officedc2.office.addomain.net nsds5replicaTimeout: 120 nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net nsds7NewWinUserSyncEnabled: true nsDS5ReplicaPort: 389 nsds7WindowsDomain: ipadomain.net nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicaBindMethod: simple nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= nsds7DirsyncCookie:: TVNEUwMAAADdp7tcGKLQAQAAAAAAAAAAYAEAAAVEoQAAAAAAAAAAAAAAA AAFRKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 13PwAAAAAADGzFNzznrESIxHzA74fbs72tMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+9xBIgAAAAAA4qTQaC46/Ua4KXgP /ixNcdrfVAAAAAAAWowbgYD1akibZ+sCul5C4e9kLQAAAAAAxSO4iapVmEGQ6R23bgLQiwVEoQAAA AAAogC6jFcyFUmhBp4B7FkaBQwfnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150608182349Z nsds5replicaLastUpdateEnd: 20150608182349Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20150608182251Z nsds5replicaLastInitEnd: 20150608182349Z nsds5replicaLastInitStatus: 0 Total update succeeded ============================================================ now i update the ldap tree to do a one way sync with windows ============================================================ ----------- Expanding base 'cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain\2Cdc\3Dnet,cn=mapping tree,cn=config'... Getting 1 entries: Dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain\2Cdc\3Dnet,cn=mapping tree,cn=config cn: meToofficedc2.office.addomain.net; description: me to officedc2.office.addomain.net; nsds50ruv (3): {replicageneration} 553fe9bb000000040000; {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9000000040000 5575dff8000000040000; {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c4000000030000 557244db001700030000; nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net; nsDS5ReplicaBindMethod: simple; nsds5replicaChangesSentSinceStartup: 4:35/0 ; nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdmI0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=; nsDS5ReplicaHost: officedc2.office.addomain.net; nsds5replicaLastInitEnd: 0; nsds5replicaLastInitStart: 0; nsds5replicaLastUpdateEnd: 20150608183351Z; nsds5replicaLastUpdateStart: 20150608183350Z; nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded; nsDS5ReplicaPort: 389; nsds5replicareapactive: 0; nsDS5ReplicaRoot: dc=ipadomain,dc=net; nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount; nsds5replicaTimeout: 120; nsDS5ReplicaTransportInfo: TLS; nsds5replicaUpdateInProgress: FALSE; nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net; nsds7DirsyncCookie: <ldp: Binary blob 420 bytes>; nsds7NewWinGroupSyncEnabled: false; nsds7NewWinUserSyncEnabled: true; nsds7WindowsDomain: ipadomain.net; nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net; nsruvReplicaLastModified (2): {replica 4 ldap://dc1.ipadomain.net:389} 5575df5e; {replica 3 ldap://dc2.ipadomain.net:389} 00000000; objectClass (2): nsDSWindowsReplicationAgreement; top; oneWaySync: fromWindows; ----------- [root@dc1 ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting ipa_memcached Service Restarting httpd Service Restarting pki-tomcatd Service Restarting smb Service Restarting winbind Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful ================================================= now run search to see if agreement is still valid ================================================= [root@dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config objectclass=nsDSWindowsReplicationAgreement Enter LDAP Password: dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain \2Cdc\3Dnet,cn=mapping tree,cn=config nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net cn: meToofficedc2.office.addomain.net nsds7NewWinGroupSyncEnabled: false objectClass: nsDSWindowsReplicationAgreement objectClass: top nsDS5ReplicaTransportInfo: TLS description: me to officedc2.office.addomain.net nsDS5ReplicaRoot: dc=ipadomain,dc=net nsDS5ReplicaHost: officedc2.office.addomain.net nsds5replicaTimeout: 120 nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net nsds7NewWinUserSyncEnabled: true nsDS5ReplicaPort: 389 nsds7WindowsDomain: ipadomain.net nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicaBindMethod: simple nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= nsds7DirsyncCookie:: TVNEUwMAAAAJUnAmGaLQAQAAAAAAAAAAYAEAAIREoQAAAAAAAAAAAAAAA ACERKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 13PwAAAAAADGzFNzznrESIxHzA74fbs9WwMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+zVCIgAAAAAA4qTQaC46/Ua4KXgP /ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi4REoQAAA AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA oneWaySync: fromWindows nsds50ruv: {replicageneration} 553fe9bb000000040000 nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9 000000040000 5575df31000000040000 nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c 4000000030000 557244db001700030000 nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne t:389} 5575de97 nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n et:389} 00000000 nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150608182928Z nsds5replicaLastUpdateEnd: 20150608182928Z nsds5replicaChangesSentSinceStartup:: NDoyOC8wIA== nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 ============== um WTF? making it a one way only agreement invalidates the lastinitstart value? ============== ================================================================================= troubleshooting : removing oneWaySync: fromWindows and see if problem still exists ================================================================================= [root@dc1 ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting ipa_memcached Service Restarting httpd Service Restarting pki-tomcatd Service Restarting smb Service Restarting winbind Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root@dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config objectclass=nsDSWindowsReplicationAgreement Enter LDAP Password: dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain \2Cdc\3Dnet,cn=mapping tree,cn=config nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net cn: meToofficedc2.office.addomain.net nsds7NewWinGroupSyncEnabled: false objectClass: nsDSWindowsReplicationAgreement objectClass: top nsDS5ReplicaTransportInfo: TLS description: me to officedc2.office.addomain.net nsDS5ReplicaRoot: dc=ipadomain,dc=net nsDS5ReplicaHost: officedc2.office.addomain.net nsds5replicaTimeout: 120 nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net nsds7NewWinUserSyncEnabled: true nsDS5ReplicaPort: 389 nsds7WindowsDomain: ipadomain.net nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicaBindMethod: simple nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= nsds7DirsyncCookie:: TVNEUwMAAAC1t/mKGaLQAQAAAAAAAAAAYAEAAKlEoQAAAAAAAAAAAAAAA ACpRKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 13PwAAAAAADGzFNzznrESIxHzA74fbs9WwMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+zVCIgAAAAAA4qTQaC46/Ua4KXgP /ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi6lEoQAAA AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA nsds50ruv: {replicageneration} 553fe9bb000000040000 nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9 000000040000 5575dff8000000040000 nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c 4000000030000 557244db001700030000 nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne t:389} 5575df5e nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n et:389} 00000000 nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150608183216Z nsds5replicaLastUpdateEnd: 20150608183216Z nsds5replicaChangesSentSinceStartup:: NDozMC8wIA== nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 ===================================================== hmmm, problem still exists and not sure how to fix it ===================================================== -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project