On 06/08/2015 10:18 AM, nat...@nathanpeters.com wrote:
This looks like incremental update is successful . . .
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0
. . . but this indicates that the sync agreement has never been
initialized, which would also correspond to the errors below. I'm
really puzzled as to how sync could possibly work if it has never been
initialized. And I'm also not sure how you could have created the sync
agreement using the IPA command line tools without initializing the
agreement. AFAIK, the only way to get rid of the errors is to
reinitialize http://linux.die.net/man/1/ipa-replica-manage
OK, more troubleshooting and I think I discovered the problem. Making the
sync agreement into a one way sync from windows to ipa seems to break the
agreement by uninitializing it? Not sure how to fix this, but here is the
logs to prove that is the step that is breaking it.
============================
try to create sync agreement
============================
[root@dc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=freeipa
syncuser,ou=Service Account,dc=office,dc=addomain,dc=net" --bindpw
<secret> --passsync <secret> --cacert /etc/openldap/cacerts/addomain.cer
officedc2.office.addomain.net --win-subtree
"OU=Staff,DC=office,DC=addomain,DC=net" -v
Directory Manager password:
winsync agreement already exists on subtree
OU=Staff,DC=office,DC=addomain,DC=net
=================================
failed because it already existed so disconnect
=================================
[root@dc1 ~]# ipa-replica-manage disconnect officedc2.office.addomain.net
Directory Manager password:
Deleted replication agreement from 'dc1.ipadomain.net' to
'officedc2.office.addomain.net'
============================
try to create sync agreement
============================
[root@dc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=freeipa
syncuser,ou=Service Account,dc=office,dc=addomain,dc=net" --bindpw
a5Ryj2N4EAvjFLJelWOQ --passsync MVQXHEturhjqoFXGvUcH --cacert
/etc/openldap/cacerts/addomain.cer officedc2.office.addomain.net
--win-subtree "OU=Staff,DC=office,DC=addomain,DC=net" -v
Directory Manager password:
Added CA certificate /etc/openldap/cacerts/addomain.cer to certificate
database for dc1.ipadomain.net
ipa: INFO: AD Suffix is: DC=office,DC=addomain,DC=net
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net
Windows PassSync system account exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica
acquired successfully: Incremental update started: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update in progress, 57 seconds elapsed
Update succeeded
Connected 'dc1.ipadomain.net' to 'officedc2.office.addomain.net'
=====================================
confirm that init values are non zero
=====================================
[root@dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
[root@dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config
objectclass=nsDSWindowsReplicationAgreement
Enter LDAP Password:
dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain
\2Cdc\3Dnet,cn=mapping tree,cn=config
nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net
nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net
cn: meToofficedc2.office.addomain.net
nsds7NewWinGroupSyncEnabled: false
objectClass: nsDSWindowsReplicationAgreement
objectClass: top
nsDS5ReplicaTransportInfo: TLS
description: me to officedc2.office.addomain.net
nsDS5ReplicaRoot: dc=ipadomain,dc=net
nsDS5ReplicaHost: officedc2.office.addomain.net
nsds5replicaTimeout: 120
nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service
Account,dc=office,dc=addomain,dc=net
nsds7NewWinUserSyncEnabled: true
nsDS5ReplicaPort: 389
nsds7WindowsDomain: ipadomain.net
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicaBindMethod: simple
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ
0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm
I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=
nsds7DirsyncCookie::
TVNEUwMAAADdp7tcGKLQAQAAAAAAAAAAYAEAAAVEoQAAAAAAAAAAAAAAA
AAFRKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6
13PwAAAAAADGzFNzznrESIxHzA74fbs72tMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm
PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+9xBIgAAAAAA4qTQaC46/Ua4KXgP
/ixNcdrfVAAAAAAAWowbgYD1akibZ+sCul5C4e9kLQAAAAAAxSO4iapVmEGQ6R23bgLQiwVEoQAAA
AAAogC6jFcyFUmhBp4B7FkaBQwfnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU
mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90
NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150608182349Z
nsds5replicaLastUpdateEnd: 20150608182349Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental
upd
ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20150608182251Z
nsds5replicaLastInitEnd: 20150608182349Z
nsds5replicaLastInitStatus: 0 Total update succeeded
============================================================
now i update the ldap tree to do a one way sync with windows
============================================================
-----------
Expanding base
'cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain\2Cdc\3Dnet,cn=mapping
tree,cn=config'...
Getting 1 entries:
Dn:
cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain\2Cdc\3Dnet,cn=mapping
tree,cn=config
cn: meToofficedc2.office.addomain.net;
description: me to officedc2.office.addomain.net;
nsds50ruv (3): {replicageneration} 553fe9bb000000040000; {replica 4
ldap://dc1.ipadomain.net:389} 553fe9c9000000040000 5575dff8000000040000;
{replica 3 ldap://dc2.ipadomain.net:389} 553fe9c4000000030000
557244db001700030000;
nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service
Account,dc=office,dc=addomain,dc=net;
nsDS5ReplicaBindMethod: simple;
nsds5replicaChangesSentSinceStartup: 4:35/0 ;
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdmI0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=;
nsDS5ReplicaHost: officedc2.office.addomain.net;
nsds5replicaLastInitEnd: 0;
nsds5replicaLastInitStart: 0;
nsds5replicaLastUpdateEnd: 20150608183351Z;
nsds5replicaLastUpdateStart: 20150608183350Z;
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental
update succeeded;
nsDS5ReplicaPort: 389;
nsds5replicareapactive: 0;
nsDS5ReplicaRoot: dc=ipadomain,dc=net;
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth
krbloginfailedcount;
nsds5replicaTimeout: 120;
nsDS5ReplicaTransportInfo: TLS;
nsds5replicaUpdateInProgress: FALSE;
nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net;
nsds7DirsyncCookie: <ldp: Binary blob 420 bytes>;
nsds7NewWinGroupSyncEnabled: false;
nsds7NewWinUserSyncEnabled: true;
nsds7WindowsDomain: ipadomain.net;
nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net;
nsruvReplicaLastModified (2): {replica 4 ldap://dc1.ipadomain.net:389}
5575df5e; {replica 3 ldap://dc2.ipadomain.net:389} 00000000;
objectClass (2): nsDSWindowsReplicationAgreement; top;
oneWaySync: fromWindows;
-----------
[root@dc1 ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
=================================================
now run search to see if agreement is still valid
=================================================
[root@dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config
objectclass=nsDSWindowsReplicationAgreement
Enter LDAP Password:
dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain
\2Cdc\3Dnet,cn=mapping tree,cn=config
nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net
nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net
cn: meToofficedc2.office.addomain.net
nsds7NewWinGroupSyncEnabled: false
objectClass: nsDSWindowsReplicationAgreement
objectClass: top
nsDS5ReplicaTransportInfo: TLS
description: me to officedc2.office.addomain.net
nsDS5ReplicaRoot: dc=ipadomain,dc=net
nsDS5ReplicaHost: officedc2.office.addomain.net
nsds5replicaTimeout: 120
nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service
Account,dc=office,dc=addomain,dc=net
nsds7NewWinUserSyncEnabled: true
nsDS5ReplicaPort: 389
nsds7WindowsDomain: ipadomain.net
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicaBindMethod: simple
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ
0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm
I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=
nsds7DirsyncCookie::
TVNEUwMAAAAJUnAmGaLQAQAAAAAAAAAAYAEAAIREoQAAAAAAAAAAAAAAA
ACERKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6
13PwAAAAAADGzFNzznrESIxHzA74fbs9WwMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm
PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+zVCIgAAAAAA4qTQaC46/Ua4KXgP
/ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi4REoQAAA
AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU
mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90
NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA
oneWaySync: fromWindows
nsds50ruv: {replicageneration} 553fe9bb000000040000
nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9
000000040000 5575df31000000040000
nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c
4000000030000 557244db001700030000
nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne
t:389} 5575de97
nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n
et:389} 00000000
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150608182928Z
nsds5replicaLastUpdateEnd: 20150608182928Z
nsds5replicaChangesSentSinceStartup:: NDoyOC8wIA==
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental
upd
ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0
==============
um WTF? making it a one way only agreement invalidates the lastinitstart
value?
==============
=================================================================================
troubleshooting : removing oneWaySync: fromWindows and see if problem
still exists
=================================================================================
[root@dc1 ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config
objectclass=nsDSWindowsReplicationAgreement
Enter LDAP Password:
dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain
\2Cdc\3Dnet,cn=mapping tree,cn=config
nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net
nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net
cn: meToofficedc2.office.addomain.net
nsds7NewWinGroupSyncEnabled: false
objectClass: nsDSWindowsReplicationAgreement
objectClass: top
nsDS5ReplicaTransportInfo: TLS
description: me to officedc2.office.addomain.net
nsDS5ReplicaRoot: dc=ipadomain,dc=net
nsDS5ReplicaHost: officedc2.office.addomain.net
nsds5replicaTimeout: 120
nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service
Account,dc=office,dc=addomain,dc=net
nsds7NewWinUserSyncEnabled: true
nsDS5ReplicaPort: 389
nsds7WindowsDomain: ipadomain.net
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicaBindMethod: simple
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ
0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm
I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=
nsds7DirsyncCookie::
TVNEUwMAAAC1t/mKGaLQAQAAAAAAAAAAYAEAAKlEoQAAAAAAAAAAAAAAA
ACpRKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6
13PwAAAAAADGzFNzznrESIxHzA74fbs9WwMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm
PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+zVCIgAAAAAA4qTQaC46/Ua4KXgP
/ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi6lEoQAAA
AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU
mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90
NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA
nsds50ruv: {replicageneration} 553fe9bb000000040000
nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9
000000040000 5575dff8000000040000
nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c
4000000030000 557244db001700030000
nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne
t:389} 5575df5e
nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n
et:389} 00000000
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150608183216Z
nsds5replicaLastUpdateEnd: 20150608183216Z
nsds5replicaChangesSentSinceStartup:: NDozMC8wIA==
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental
upd
ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0
=====================================================
hmmm, problem still exists and not sure how to fix it
=====================================================
