Re: [Freeipa-users] FreeIPA password sync one direction only (Windows DC -> IPA)
On 05/23/2013 12:38 PM, Steve Dainard wrote: Eventually the service did stop [root@ipa1 slapd-MIOVISION-LINUX]# service dirsrv restart Shutting down dirsrv: MIOVISION-LINUX... [FAILED] PKI-IPA... [ OK ] *** Error: 1 instance(s) unsuccessfully stopped [FAILED] Starting dirsrv: MIOVISION-LINUX... already running [ OK ] PKI-IPA... [ OK ] Bolded line looks interesting in the errors log: [23/May/2013:13:31:32 -0400] NSMMReplicationPlugin - Running Dirsync [23/May/2013:13:36:29 -0400] - slapd shutting down - signaling operation threads [23/May/2013:13:36:29 -0400] - slapd shutting down - closing down internal subsystems and plugins [23/May/2013:13:36:29 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): windows_inc_stop: protocol stopped after 0 seconds [23/May/2013:13:46:30 -0400] NSMMReplicationPlugin - windows_tot_run: protocol not stopped after waiting for 600 seconds for agreement agmt="cn=meTodc1.miovision.corp" (dc1:389) [23/May/2013:13:46:30 -0400] NSMMReplicationPlugin - agmt="cn=meTodc1.miovision.corp" (dc1:389): Disconnected from the consumer [23/May/2013:13:46:30 -0400] NSMMReplicationPlugin - Warning: total protocol for replica "agmt="cn=meTodc1.miovision.corp" (dc1:389)" did not shut down properly. [23/May/2013:13:46:30 -0400] NSMMReplicationPlugin - changelog program - _cl5Close: waiting for threads to exit: 1 thread(s) still active [23/May/2013:13:46:30 -0400] NSMMReplicationPlugin - changelog program - _cl5TrimMain: exiting *[23/May/2013:13:46:30 -0400] NSMMReplicationPlugin - (null): windows_process_dirsync_entry: not allowed to add entry CN=Shared Login,CN=Users,DC=miovision,DC=corp.* *This is a group entry. IPA winsync cannot sync groups. * [23/May/2013:13:46:30 -0400] NSMMReplicationPlugin - changelog program - _cl5DBClose: deleting DB object 7facd000b540 [23/May/2013:13:46:30 -0400] NSMMReplicationPlugin - changelog program - _cl5DBClose: closing databases in /var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb [23/May/2013:13:46:30 -0400] NSMMReplicationPlugin - changelog program - _cl5DBCloseFile: Closing database /var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/adfdd709-c32011e2-9464d7b2-701347b5_519d2ea80003.db4 [23/May/2013:13:46:30 -0400] NSMMReplicationPlugin - changelog program - _cl5DBCloseFile: Closed the changelog database handle for /var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/adfdd709-c32011e2-9464d7b2-701347b5_519d2ea80003.db4 (rc: 0) [23/May/2013:13:46:30 -0400] - Waiting for 4 database threads to stop [23/May/2013:13:46:30 -0400] - All database threads now stopped [23/May/2013:13:46:30 -0400] - slapd stopped. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA password sync one direction only (Windows DC -> IPA)
On 05/17/2013 12:03 PM, Steve Dainard wrote:
Thanks for getting me on the right track.
Yes to the Windows sync agreement.
I'm not sure if this is related to password sync'ing, but it looks
like a sync operation is triggering (and failing) every 4 seconds on
one of my users:
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): State: start_backoff ->
backoff
[17/May/2013:13:28:42 -0400] - acquire_replica, supplier RUV:
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - supplier:
{replicageneration} 508020360003
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - supplier:
{replica 3 ldap://ipa1.miovision.linux:389} 5080203600010003
5196677600010003 51966776
[17/May/2013:13:28:42 -0400] - acquire_replica, consumer RUV:
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - consumer:
{replicageneration} 508020360003
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - consumer:
{replica 3 ldap://ipa1.miovision.linux:389} 5080203600010003
515ad91f0003
[17/May/2013:13:28:42 -0400] - acquire_replica, supplier RUV is newer
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): Cancelling linger on the
connection
[17/May/2013:13:28:42 -0400] - _csngen_adjust_local_time: gen state
before 519668c60001:1368811718:0:0
[17/May/2013:13:28:42 -0400] - _csngen_adjust_local_time: gen state
after 519668ca:1368811722:0:0
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): State: backoff ->
sending_updates
[17/May/2013:13:28:42 -0400] - csngen_adjust_time: gen state before
519668ca0001:1368811722:0:0
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - changelog program
- _cl5GetDBFile: found DB object f6d910 for database
/var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_508020360003.db4
[17/May/2013:13:28:42 -0400] - _cl5PositionCursorForReplay
(agmt="cn=meTodc1.miovision.corp" (dc1:389)): Consumer RUV:
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): {replicageneration}
508020360003
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): {replica 3
ldap://ipa1.miovision.linux:389} 5080203600010003
515ad91f0003
[17/May/2013:13:28:42 -0400] - _cl5PositionCursorForReplay
(agmt="cn=meTodc1.miovision.corp" (dc1:389)): Supplier RUV:
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): {replicageneration}
508020360003
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): {replica 3
ldap://ipa1.miovision.linux:389} 5080203600010003
5196677600010003 51966776
[17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp"
(dc1:389) - clcache_get_buffer: found thread private buffer cache
7f30bc061d00
[17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp"
(dc1:389) - clcache_get_buffer: _pool is 2e7cc10 _pool->pl_busy_lists
is 7f30bc050790 _pool->pl_busy_lists->bl_buffers is 7f30bc061d00
[17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp"
(dc1:389) - session start: anchorcsn=515ad91f0003
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - changelog program
- agmt="cn=meTodc1.miovision.corp" (dc1:389): CSN 515ad91f0003
found, position set for replay
[17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp"
(dc1:389) - load=1 rec=1 csn=515ae3f40003
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): windows_replay_update:
Looking at modify operation local
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
(ours,user,not group)
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): map_entry_dn_outbound:
looking for AD entry for DS
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
guid="ba17f9770e0c814cb9eea9df2d4df61a"
[17/May/2013:13:28:42 -0400] - Calling windows entry search request plugin
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - Could not
retrieve entry from Windows using search base
[] scope [0] filter
[(objectclass=*)]: error 1:Operations error
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): map_entry_dn_outbound:
return code -1 from search for AD entry
dn="" or dn="(null)"
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): map_entry_dn_outbound:
entry not found - rc -1
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): windows_replay_update:
Processing modify operation local
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux" remote
dn=""
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc
Re: [Freeipa-users] FreeIPA password sync one direction only (Windows DC -> IPA)
Thanks for getting me on the right track.
Yes to the Windows sync agreement.
I'm not sure if this is related to password sync'ing, but it looks like a
sync operation is triggering (and failing) every 4 seconds on one of my
users:
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): State: start_backoff -> backoff
[17/May/2013:13:28:42 -0400] - acquire_replica, supplier RUV:
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - supplier:
{replicageneration} 508020360003
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - supplier: {replica 3
ldap://ipa1.miovision.linux:389} 5080203600010003 5196677600010003
51966776
[17/May/2013:13:28:42 -0400] - acquire_replica, consumer RUV:
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - consumer:
{replicageneration} 508020360003
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - consumer: {replica 3
ldap://ipa1.miovision.linux:389} 5080203600010003 515ad91f0003
[17/May/2013:13:28:42 -0400] - acquire_replica, supplier RUV is newer
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): Cancelling linger on the
connection
[17/May/2013:13:28:42 -0400] - _csngen_adjust_local_time: gen state before
519668c60001:1368811718:0:0
[17/May/2013:13:28:42 -0400] - _csngen_adjust_local_time: gen state after
519668ca:1368811722:0:0
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): State: backoff ->
sending_updates
[17/May/2013:13:28:42 -0400] - csngen_adjust_time: gen state before
519668ca0001:1368811722:0:0
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - changelog program -
_cl5GetDBFile: found DB object f6d910 for database
/var/lib/dirsrv/slapd-MIOVISION-LINUX/cldb/854fd282-193811e2-9177aa0d-17c9983f_508020360003.db4
[17/May/2013:13:28:42 -0400] - _cl5PositionCursorForReplay
(agmt="cn=meTodc1.miovision.corp" (dc1:389)): Consumer RUV:
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): {replicageneration}
508020360003
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): {replica 3
ldap://ipa1.miovision.linux:389} 5080203600010003 515ad91f0003
[17/May/2013:13:28:42 -0400] - _cl5PositionCursorForReplay
(agmt="cn=meTodc1.miovision.corp" (dc1:389)): Supplier RUV:
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): {replicageneration}
508020360003
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): {replica 3
ldap://ipa1.miovision.linux:389} 5080203600010003 5196677600010003
51966776
[17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp" (dc1:389) -
clcache_get_buffer: found thread private buffer cache 7f30bc061d00
[17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp" (dc1:389) -
clcache_get_buffer: _pool is 2e7cc10 _pool->pl_busy_lists is 7f30bc050790
_pool->pl_busy_lists->bl_buffers is 7f30bc061d00
[17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp" (dc1:389) -
session start: anchorcsn=515ad91f0003
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - changelog program -
agmt="cn=meTodc1.miovision.corp" (dc1:389): CSN 515ad91f0003 found,
position set for replay
[17/May/2013:13:28:42 -0400] agmt="cn=meTodc1.miovision.corp" (dc1:389) -
load=1 rec=1 csn=515ae3f40003
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): windows_replay_update: Looking
at modify operation local
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux" (ours,user,not
group)
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): map_entry_dn_outbound: looking
for AD entry for DS
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux"
guid="ba17f9770e0c814cb9eea9df2d4df61a"
[17/May/2013:13:28:42 -0400] - Calling windows entry search request plugin
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin - Could not retrieve
entry from Windows using search base
[] scope [0] filter
[(objectclass=*)]: error 1:Operations error
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): map_entry_dn_outbound: return
code -1 from search for AD entry
dn="" or dn="(null)"
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): map_entry_dn_outbound: entry
not found - rc -1
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): windows_replay_update:
Processing modify operation local
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=linux" remote
dn=""
[17/May/2013:13:28:42 -0400] NSMMReplicationPlugin -
agmt="cn=meTodc1.miovision.corp" (dc1:389): map_entry_dn_outbound: looking
for AD entry for DS
dn="uid=jkeller,cn=users,cn=accounts,dc=miovision,dc=
Re: [Freeipa-users] FreeIPA password sync one direction only (Windows DC -> IPA)
On 05/17/2013 09:26 AM, Steve Dainard wrote: Hello, We're running a single IPA server (CentOS 6) on our network as a side project for some testing before we implement. It had been a significant period of time since I had last logged into the web interface, so I had to kinit from a client machine (of which I had logged into successfully with my domain password), at which point I was requested to change my password. After the password change I RDP'd into a Windows machine on our domain and realized the password had not been updated on the domain controller. Is the password sync feature with an external source such as Active Directory supposed to be two-way? If so where can I start troubleshooting this issue? Are you talking about a windows sync agreement you set up with ipa-replica-manage? If so, yes, the password sync is supposed to be two-way. Try this: turn on the replication log level http://port389.org/wiki/FAQ#Troubleshooting change your IPA password turn off the replication log level http://port389.org/wiki/FAQ#Troubleshooting see if you can use your new password in AD The 389 errors log in /var/log/dirsrv/slapd-YOUR-DOMAIN/errors may contain a clue. Thanks, Steve Dainard Infrastructure Manager Miovision Technologies Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
