Zdenek Sobotka via FreeIPA-users wrote: > Hello, > I would need advice on setting up account synchronization between > Windows10 testing instance with AD and FREEIPA. > I successfully imported CA certificates for trust between AD and > FREEIPA, ran ldapsearch, which I can use to read information from > Windows AD. > Now I want to synchronize data accounts from AD to FREEIPA, using > "ipa-replica-manage connect --winsync". > In debug mode, I see that the synchronization is established, and also > there is an attempt with data replication. > Finally in the end, is written that the replica update "passed > successfully". But no AD data was added, when I looked into FREEIPA. > > Here is the log: > > ``` > [root@freeipa ~]# ipa-replica-manage connect -d --verbose --winsync > --no-lookup --binddn="cn=Administrator,cn=Users,dc=ngov,dc=local" > --bindpw="H3sl0123456." --cacert=/etc/ipa/ca.crt > --passsync="TESTTEST111" WIN-7G3BH6KDDHU.ngov.local > > Directory Manager password: > > ipa: DEBUG: Created connection context.ldap2_140493289808392 > ipa: DEBUG: Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > ipa: DEBUG: Loading Index file from > '/var/lib/ipa/sysrestore/sysrestore.index' > ipa: DEBUG: Destroyed connection context.ldap2_140493289808392 > ipa: DEBUG: Starting external process > ipa: DEBUG: args=['/bin/systemctl', 'stop', '[email protected]'] > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr= > ipa: DEBUG: Stop of [email protected] complete > ipa: DEBUG: Loading Index file from > '/var/lib/ipa/sysrestore/sysrestore.index' > ipa: DEBUG: Starting external process > ipa: DEBUG: args=['/usr/bin/certutil', '-d', > 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', 'CN=Certificate > Authority,O=TEST.LOCAL', '-t', 'C,,', '-a', '-f', > '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr= > ipa: DEBUG: Starting external process > ipa: DEBUG: args=['/usr/bin/certutil', '-d', > 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', > 'CN=WIN-7G3BH6KDDHU.ngov.local', '-t', 'C,,', '-a', '-f', > '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr= > ipa: DEBUG: Starting external process > ipa: DEBUG: args=['/usr/bin/certutil', '-d', > 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', > 'CN=ngov-WIN-7G3BH6KDDHU-CA,DC=ngov,DC=local', '-t', 'C,,', '-a', '-f', > '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr= > ipa: DEBUG: Starting external process > ipa: DEBUG: args=['/bin/systemctl', 'start', '[email protected]'] > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr= > ipa: DEBUG: Starting external process > ipa: DEBUG: args=['/bin/systemctl', 'is-active', > '[email protected]'] > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout=active > > ipa: DEBUG: stderr= > ipa: DEBUG: wait_for_open_ports: localhost [389] timeout 120 > ipa: DEBUG: waiting for port: 389 > ipa: DEBUG: SUCCESS: port: 389 > ipa: DEBUG: Start of [email protected] complete > ipa: DEBUG: Created connection context.ldap2_140493289808392 > Added CA certificate /etc/ipa/ca.crt to certificate database for > freeipa.TEST.local > ipa: INFO: AD Suffix is: DC=ngov,DC=local > ipa: DEBUG: retrieving schema for SchemaCache > url=ldaps://freeipa.TEST.local:636 > conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fc7249c2c88> > ipa: DEBUG: Add or update replica config > cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping tree,cn=config > ipa: DEBUG: No update to cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping > tree,cn=config necessary > The user for the Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=TEST,dc=local > Windows PassSync system account exists, not resetting password > ipa: DEBUG: Plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config' already > 'uid=passsync,cn=sysaccounts,cn=etc,dc=TEST,dc=local' in passSyncManagersDNs > ipa: DEBUG: Waiting up to 300 seconds for replication > (ldaps://freeipa.TEST.local:636) > cn=meToWIN-7G3BH6KDDHU.ngov.local,cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping > tree,cn=config (objectclass=*) > ipa: DEBUG: Entry found > [LDAPEntry(ipapython.dn.DN('cn=meToWIN-7G3BH6KDDHU.ngov.local,cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping > tree,cn=config'), {'objectClass': [b'nsDSWindowsReplicationAgreement', > b'top'], 'cn': [b'meToWIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicaHost': > [b'WIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicaPort': [b'389'], > 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': > [b'dc=TEST,dc=local'], 'description': [b'me to > WIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicatedAttributeList': > [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn > krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], > 'nsDS5ReplicaBindDN': [b'cn=Administrator,cn=Users,dc=ngov,dc=local'], > 'nsDS5ReplicaTransportInfo': [b'TLS'], 'nsDS5ReplicaBindMethod': > [b'simple'], 'nsds7WindowsReplicaSubtree': > [b'cn=Users,DC=ngov,DC=local'], 'nsds7DirectoryReplicaSubtree': > [b'cn=users,cn=accounts,dc=TEST,dc=local'], > 'nsds7NewWinUserSyncEnabled': [b'true'], 'nsds7NewWinGroupSyncEnabled': > [b'false'], 'nsds7WindowsDomain': [b'TEST.local'], > 'nsDS5ReplicaCredentials': > [b'{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUTVaRGxoTVRJNFpDMHhOVGt6TTJZNQ0KTmkwNU9HTTBNR0ZtTXkxaE56TTJaakUwTWdBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCRGJXVlFqdEZEY3k1RjFYTEMwT1V2TA==}gjvpjBG5R/xt7jkO7XzRPg=='], > 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': > [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], > 'nsds5replicaChangesSentSinceStartup': [b''], > 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions > started since server startup'], 'nsds5replicaLastUpdateStatusJSON': > [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", > "repl_rc": "0", "repl_rc_text": "replica acquired", "date": > "2021-10-20T10:36:28Z", "message": "Error (0) No replication sessions > started since server startup"}'], 'nsds5replicaUpdateInProgress': > [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], > 'nsds5replicaLastInitEnd': [b'19700101000000Z']})] > ipa: INFO: Added new sync agreement, waiting for it to become ready . . . > ipa: INFO: Replication Update in progress: FALSE: status: Error (0) > Replica acquired successfully: Incremental update started: start: > 20211020103628: end: 20211020103628 > ipa: INFO: Agreement is ready, starting replication . . . > ipa: WARNING: This configuration ("--winsync") may imply that the log > file contains clear text passwords. > Please ensure that these files can be accessed only by trusted accounts. > Log files are under /var/lib/dirsrv/slapd-TEST-LOCAL/cldb > Starting replication, please wait until this has completed. > > Update succeeded > > Connected 'freeipa.TEST.local' to 'WIN-7G3BH6KDDHU.ngov.local' > ipa: DEBUG: Destroyed connection context.ldap2_140493289808392 > [root@freeipa ~]# > ``` > > I will be happy for any helpful advice. Thanks.
I'd suggest enabling replication debugging to see what is going on: https://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
