Re: [Freeipa-users] Synchronization Agreements between FreeIPA and AD
Hi Rich!
I turned on the log and see the following records
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn=
meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): State: start_backoff -
backoff
[13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier RUV:
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - supplier:
{replicageneration} 5440f0390003
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - supplier: {replica 3
ldap://ipa.test-csbi-its.ru:389} 5440f03900010003 5464956e0003
5464956e
[13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer RUV:
[13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer RUV = null
[13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier RUV is newer
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn=
meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Cancelling linger on the
connection
[13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time: gen state before
546495820001:1415878018:0:0
[13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time: gen state after
54649586:1415878022:0:0
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn=
meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): State: backoff -
sending_updates
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn=
meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update
vector. It has never been initialized.
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn=
meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Beginning linger on the
connection
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - agmt=cn=
meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): State: sending_updates
- start_backoff
Best regards, Valeriy
On 10/29/2014 03:19 AM, Сапегин Валерий wrote:
Yes Dmitri, ldapsearch works good:
[root ipa ~]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/
ldapsearch -xLLL -ZZ -h csbi-it-dc01.csbigroup.ru -D
cn=ipa-test,cn=users,dc=csbigroup,dc=ru -w t -s base -b
cn=users,dc=csbigroup,dc=ru
dn: cn=users,dc=csbigroup,dc=ru
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=csbigroup,DC=ru
instanceType: 4
...
...
Ok. Now try to do a windows sync with the dirsrv replication error log
level - http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting
Then we can take a look at the detailed errors.
С уважением, Сапегин Валерий
2014-10-23 16:19 GMT+04:00 Сапегин Валерий unitaip gmail com:
Hello!
I tryed to configure synchronization between FreeIPA and Windows AD
2012. In the thirst time accounts from AD synchronization properly but next
schedule after 5 min is not work and in error log I see the following
errors:
# tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors
[23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin - agmt=cn=
meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update
vector. It has never been initialized.
[23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin - agmt=cn=
meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update
vector. It has never been initialized.
[23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin - agmt=cn=
meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update
vector. It has never been initialized.
Thirst synchronization out
Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to certificate
database for ipa.test-csbi-its.ru
ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica
acquired successfully: Incremental update started: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update in progress, 13 seconds elapsed
[ipa.test-csbi-its.ru] reports: Update failed! Status: [-1 Total update
abortedLDAP error: Can't contact LDAP server]
Failed to start replication
FreeIPA server version 3.3.3
OS version Centos 7
AD Domain 2012
Can you help me to resolve this problem?
Best regards, Valeriy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Synchronization Agreements between FreeIPA and AD
On 11/13/2014 05:14 AM, Сапегин Валерий wrote:
Hi Rich!
I turned on the log and see the following records
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
agmt=cn=meTocsbi-it-dc01.csbigroup.ru
http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): State:
start_backoff - backoff
[13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier RUV:
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - supplier:
{replicageneration} 5440f0390003
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin - supplier:
{replica 3 ldap://ipa.test-csbi-its.ru:389
http://ipa.test-csbi-its.ru:389} 5440f03900010003
5464956e0003 5464956e
[13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer RUV:
[13/Nov/2014:14:27:02 +0300] - acquire_replica, consumer RUV = null
[13/Nov/2014:14:27:02 +0300] - acquire_replica, supplier RUV is newer
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
agmt=cn=meTocsbi-it-dc01.csbigroup.ru
http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Cancelling
linger on the connection
[13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time: gen state
before 546495820001:1415878018:0:0
[13/Nov/2014:14:27:02 +0300] - _csngen_adjust_local_time: gen state
after 54649586:1415878022:0:0
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
agmt=cn=meTocsbi-it-dc01.csbigroup.ru
http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): State:
backoff - sending_updates
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
agmt=cn=meTocsbi-it-dc01.csbigroup.ru
http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica
has no update vector. It has never been initialized.
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
agmt=cn=meTocsbi-it-dc01.csbigroup.ru
http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Beginning
linger on the connection
[13/Nov/2014:14:27:02 +0300] NSMMReplicationPlugin -
agmt=cn=meTocsbi-it-dc01.csbigroup.ru
http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): State:
sending_updates - start_backoff
There is no windows sync trace activity here. You have to first enable
the replication log level, then do something that will trigger windows
sync activity.
Best regards, Valeriy
On 10/29/2014 03:19 AM, Сапегин Валерий wrote:
Yes Dmitri, ldapsearch works good:
[root ipa ~]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/
ldapsearch -xLLL -ZZ -h csbi-it-dc01.csbigroup.ru
http://csbi-it-dc01.csbigroup.ru -D
cn=ipa-test,cn=users,dc=csbigroup,dc=ru -w t -s base -b
cn=users,dc=csbigroup,dc=ru
dn: cn=users,dc=csbigroup,dc=ru
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=csbigroup,DC=ru
instanceType: 4
...
...
Ok. Now try to do a windows sync with the dirsrv replication error
log level - http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting
Then we can take a look at the detailed errors.
С уважением, Сапегин Валерий
2014-10-23 16:19 GMT+04:00 Сапегин Валерий unitaip gmail com
mailto:unitaip%20gmail%20com:
Hello!
I tryed to configure synchronization between FreeIPA and Windows
AD 2012. In the thirst time accounts from AD synchronization
properly but next schedule after 5 min is not work and in error
log I see the following errors:
# tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors
[23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin -
agmt=cn=meTocsbi-it-dc01.csbigroup.ru
http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389):
Replica has no update vector. It has never been initialized.
[23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin -
agmt=cn=meTocsbi-it-dc01.csbigroup.ru
http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389):
Replica has no update vector. It has never been initialized.
[23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin -
agmt=cn=meTocsbi-it-dc01.csbigroup.ru
http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389):
Replica has no update vector. It has never been initialized.
Thirst synchronization out
Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to
certificate database for ipa.test-csbi-its.ru
http://ipa.test-csbi-its.ru
ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become
ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0
Replica acquired successfully: Incremental update started: start:
0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update in progress, 13 seconds elapsed
[ipa.test-csbi-its.ru http://ipa.test-csbi-its.ru] reports:
Update failed! Status: [-1 Total update abortedLDAP error: Can't
Re: [Freeipa-users] Synchronization Agreements between FreeIPA and AD
Yes Dmitri, ldapsearch works good: [root@ipa ~]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/ ldapsearch -xLLL -ZZ -h csbi-it-dc01.csbigroup.ru -D cn=ipa-test,cn=users,dc=csbigroup,dc=ru -w t -s base -b cn=users,dc=csbigroup,dc=ru dn: cn=users,dc=csbigroup,dc=ru objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=csbigroup,DC=ru instanceType: 4 ... ... С уважением, Сапегин Валерий 2014-10-23 16:19 GMT+04:00 Сапегин Валерий unit...@gmail.com: Hello! I tryed to configure synchronization between FreeIPA and Windows AD 2012. In the thirst time accounts from AD synchronization properly but next schedule after 5 min is not work and in error log I see the following errors: # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. Thirst synchronization out Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to certificate database for ipa.test-csbi-its.ru ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress, 13 seconds elapsed [ipa.test-csbi-its.ru] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server] Failed to start replication FreeIPA server version 3.3.3 OS version Centos 7 AD Domain 2012 Can you help me to resolve this problem? Best regards, Valeriy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Synchronization Agreements between FreeIPA and AD
On 10/29/2014 03:19 AM, Сапегин Валерий wrote: Yes Dmitri, ldapsearch works good: [root@ipa ~]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/ ldapsearch -xLLL -ZZ -h csbi-it-dc01.csbigroup.ru http://csbi-it-dc01.csbigroup.ru -D cn=ipa-test,cn=users,dc=csbigroup,dc=ru -w t -s base -b cn=users,dc=csbigroup,dc=ru dn: cn=users,dc=csbigroup,dc=ru objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=csbigroup,DC=ru instanceType: 4 ... ... Ok. Now try to do a windows sync with the dirsrv replication error log level - http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting Then we can take a look at the detailed errors. С уважением, Сапегин Валерий 2014-10-23 16:19 GMT+04:00 Сапегин Валерий unit...@gmail.com mailto:unit...@gmail.com: Hello! I tryed to configure synchronization between FreeIPA and Windows AD 2012. In the thirst time accounts from AD synchronization properly but next schedule after 5 min is not work and in error log I see the following errors: # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. Thirst synchronization out Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to certificate database for ipa.test-csbi-its.ru http://ipa.test-csbi-its.ru ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress, 13 seconds elapsed [ipa.test-csbi-its.ru http://ipa.test-csbi-its.ru] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server] Failed to start replication FreeIPA server version 3.3.3 OS version Centos 7 AD Domain 2012 Can you help me to resolve this problem? Best regards, Valeriy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Synchronization Agreements between FreeIPA and AD
On 10/23/2014 10:26 AM, Dmitri Pal wrote: On 10/23/2014 08:19 AM, Сапегин Валерий wrote: Hello! I tryed to configure synchronization between FreeIPA and Windows AD 2012. In the thirst time accounts from AD synchronization properly but next schedule after 5 min is not work and in error log I see the following errors: # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. Thirst synchronization out Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to certificate database for ipa.test-csbi-its.ru http://ipa.test-csbi-its.ru ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress, 13 seconds elapsed [ipa.test-csbi-its.ru http://ipa.test-csbi-its.ru] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server] Can you connect from this replica to AD using ldapsearch? specifically $ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -ZZ -h fqdn.of.windows.machine -D cn=administrator,cn=users,dc=csbigroup,dc=ru -w windows admin password -s base -b cn=users,dc=csbigroup,dc=ru Failed to start replication FreeIPA server version 3.3.3 OS version Centos 7 AD Domain 2012 Can you help me to resolve this problem? Best regards, Valeriy -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
