[Fedora-directory-users] Windows sync woes
John A. Sullivan III
jsullivan at opensourcedevel.com
Tue Apr 21 02:21:58 UTC 2009
Hello, all. I'm having grief trying to get DS 8.0 to synchronize with
Active Directory on Windows 2003 Server R2.
I first tried to synchronize an existing branch of DS with ntuser ids to
a fresh AD. That kept failing with sync total update aborted LDAP error
operations error code 1 and messages about failing to replay creation in
the errors log.
I then deleted the agreement, created a new empty branch in DS, and set
up a windows synchronization agreement. All the errors went away. I
also verified communication with
/usr/lib64/mozldap/ldapsearch -Z -P ./cert8.db -h <hostname> -p 636 -D
"cn=Synch Manager,cn=users,dc=some,dc=domain" -w - -s sub -b
"cn=Users,dc=some,dc=domain" "cn=*"
However, when I create a new user in DS, it does not propagate to AD. I
create the user, add the NT user option and set the uid as well as check
the create new account and delete account boxes.
The DS is set up as a single master. We do not want entries from AD
propagating to DS, just from DS to AD. We initially created the
synchronization user in AD as a member of domain admins. We also tried
making it a member of enterprise and schema admins. Nothing seems to
work.
We see nothing in the AD logs to indicate where the failure is. We see
very little on DS:
[20/Apr/2009:21:41:21 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=TestWinSync" (timberline:636)".
[20/Apr/2009:21:41:22 -0400] - Entry "uid=Guest,o=a0000-0012,o=Internal, dc=ssiservices, dc=biz" missing attribute "sn" required by object class "person"
[20/Apr/2009:21:41:22 -0400] - Entry "uid=SUPPORT_388945a0,o=a0000-0012,o=Internal, dc=ssiservices, dc=biz" missing attribute "sn" required by object clas
[20/Apr/2009:21:41:22 -0400] - Entry "uid=Administrator,o=a0000-0012,o=Internal, dc=ssiservices, dc=biz" missing attribute "sn" required by object class "
[20/Apr/2009:21:41:22 -0400] - Entry "uid=krbtgt,o=a0000-0012,o=Internal, dc=ssiservices, dc=biz" missing attribute "sn" required by object class "person"
[20/Apr/2009:21:41:22 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=TestWinSync" (timberline:636)". Sent 18 entries.
[20/Apr/2009:21:43:07 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): windows_replay_update: Cannot replay add operation.
[20/Apr/2009:21:43:07 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): Simple bind resumed
[20/Apr/2009:21:48:06 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): Simple bind resumed
[20/Apr/2009:21:55:58 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): windows_replay_update: Cannot replay add operation.
[20/Apr/2009:21:55:58 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): Simple bind resumed
[20/Apr/2009:22:00:59 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): Simple bind resumed
I was surprised to see the entries for the Windows based users
propagating. They do not show up in DS. I'm assuming the replay add
operation failures are the attempts to add the user defined in DS. The
user was most minimal with only SN, givenname, cn, uid, password and the
above mentioned nt attributes set.
Not being very versed in AD, I'm sure I must be making some dumb mistake
but I don't see what it is. Any suggestions on where to look? Thanks -
John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
More information about the 389-users
mailing list