[389-users] loss of group members in AD after initialization of sync
Richard Megginson
rmeggins at redhat.com
Mon Jun 15 19:33:09 UTC 2009
----- "jean-Noël Chardron" <Jean-Noel.Chardron at dr15.cnrs.fr> wrote:
> hello,
>
> When I initiate a first full synchronization of DS and AD I lost
> members
> in groups
>
> error log shows :
>
> [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: looking for local entry matching
>
> AD entry [CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
> [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
>
> [c0e73a492ffbc04c9e85781a68f45023]
> [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
> [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid
> [SFC]
> [...]
> [10/Jun/2009:15:00:11 +0200] - Windows sync entry: Adding new local
> entry dn: cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
> objectClass: top
> objectClass: groupofuniquenames
> objectClass: ntGroup
> ntGroupDeleteGroup: true
> cn: SFC
> description: Service Financier et Comptable
> uniqueMember: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15,
> dc=cnrs, dc=
> fr
> uniqueMember:[...]
> follow 10 members
>
> [...]
> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - received entry
> from
> dirsync: CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: looking for local entry matching
>
> AD entry [CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
>
> [0cdf6e627d64684cb10c70b3b8753fda]
> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid
> [MX]
> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: problem looking for username:
> -1
> [10/Jun/2009:15:00:24 +0200] - Windows sync entry: Adding new local
> entry dn: uid=MX,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs,
> dc=fr
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetOrgPerson
> objectClass: ntUser
> ntUserDeleteAccount: true
> uid: MX
> sn: MX
> givenName: Guillaume
> cn: MX
> ntUserCodePage: 0
> ntUserAcctExpires: 0
> ntUserDomainId: MX
> mail: Guillaume.MX at dr15.cnrs.fr
> ntUniqueId: 0cdf6e627d64684cb10c70b3b8753fda
>
>
> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): windows_process_total_entry: Looking
> dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" (ours)
> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS
> dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr"
> guid="c0e73a492ffbc04c9e85781a68f45023"
> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS
> dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr"
> username="SFC"
> [10/Jun/2009:15:01:34 +0200] - Calling windows entry search request
> plugin
> [10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2
> messages, 1 entries, 0 references
> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_outbound: found AD entry
> dn="CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr"
> [10/Jun/2009:15:01:34 +0200] - Calling windows entry search request
> plugin
> [10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2
> messages, 1 entries, 0 references
> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin -
> windows_generate_update_mods:
> CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, description :
> values are equal
> [10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found for
>
> uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
> [10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found for
> uid=
>
> [follow 10 entries,]
>
> [10/Jun/2009:15:01:35 +0200] - Calling windows entry search request
> plugin
> [10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2
> messages, 1 entries, 0 references
> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: looking for local entry matching
>
> AD entry
> [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
>
> [72a7171ffaa0d84a9ca4ec2d90a4ab2b]
> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid
> [essaibug]
> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: problem looking for username:
> -1
> [10/Jun/2009:15:01:35 +0200] - Calling windows entry search request
> plugin
> [10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2
> messages, 1 entries, 0 references
>
> [10/Jun/2009:15:01:38 +0200] NSMMReplicationPlugin -
> windows_generate_update_mods:
> CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, sAMAccountName
> :
> values are equal
> [10/Jun/2009:15:01:38 +0200] - smod - windows sync
> [10/Jun/2009:15:01:38 +0200] - smod 0 - delete: member
> [10/Jun/2009:15:01:38 +0200] - smod 0 - value: member:
> CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
> [10/Jun/2009:15:01:38 +0200] - smod 1 - delete: member
> [10/Jun/2009:15:01:38 +0200] - smod 1 - value: member:
>
> [follow the 10 entries]
>
> [10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin -
> windows_update_remote_entry: modifying entry
> CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
> [10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): Received result code 0 () for modify operation
>
> [10/Jun/2009:15:01:55 +0200] - map_dn_values: no local entry found for
>
> uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
>
> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - received entry
> from
> dirsync:
> CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: looking for local entry matching
>
> AD entry
> [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
>
> [72a7171ffaa0d84a9ca4ec2d90a4ab2b]
> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid
> [essaibug]
> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_inbound: problem looking for username:
> -1
> [10/Jun/2009:15:05:52 +0200] - Windows sync entry: Adding new local
> entry dn: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs,
> dc=fr
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetOrgPerson
> objectClass: ntUser
> ntUserDeleteAccount: true
> uid: essaibug
> sn: essaibug
> cn: essaibug
> ntUserCodePage: 0
> ntUserAcctExpires: 9223372036854775807
> ntUserDomainId: essaibug
> ntUniqueId: 72a7171ffaa0d84a9ca4ec2d90a4ab2b
>
> [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS
> dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs,
> dc=fr"
> guid="72a7171ffaa0d84a9ca4ec2d90a4ab2b"
> [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS
> dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs,
> dc=fr"
> username="essaibug"
> [10/Jun/2009:15:07:13 +0200] - Calling windows entry search request
> plugin
> [10/Jun/2009:15:07:13 +0200] - windows_search_entry: recieved 2
> messages, 1 entries, 0 references
> [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin -
> agmt="cn=zebigbos"
> (zebigbos:636): map_entry_dn_outbound: found AD entry
> dn="CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr"
>
> (following the translation of google)
> I suppose that during the initialization of the replication, groups
> have
> lost members (group sfc) with the logs in order explicit removal of
> the
> member in the group, sent by the DS to AD. The most likely explanation
>
> and that the process is sequential but with a dispatch from AD to
> DS-anarchic, with a group can be created before members in DS users.
> these are leading to a later stage in a request for suppresssion AD DS
>
> to members of the group that did not exist before the creation of the
>
> group. This is "normal" since DS checks the consistency of information
>
> and therefore the group members. The solution to this problem is to
> create manually in the AD to add the lost members in the group or may
> be
> to initialize sync twice in a closed time.
>
> The administrator of the Windows server and the AD insulted me as a
> result of this blunder
> I asked him if he had a backup of the AD. he had not
>
So let me see if I understand what is happening:
DS attempts to sync some groups from AD - since the user does not exist, it deletes the member from the group. Then it syncs the group back to AD, and deletes those users from AD.
Is that correct?
I suppose a workaround would be to make sure all of the users are first added to DS, then sync the groups.
> --
>
> Jean-Noel Chardron
>
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
More information about the 389-users
mailing list