[389-users] 389 <=> AD group sync

Rich Megginson rmeggins at redhat.com
Mon Dec 10 22:55:18 UTC 2012 

On 12/10/2012 12:21 AM, Matti Alho wrote:
>>> I noticed this:
>>> dn="cn=stilltesting,cn=Users,dc=domain,dc=com" (not present,add not
>>> allowed)
>>>
>>> What could cause that? Some AD permissions? It's a bit weird since
>>> full update works.
>>
>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Groups.html 
>>
>>
>>
>> Does cn=stilltesting,cn=Users,dc=domain,dc=com have
>> ntGroupCreateNewGroup: TRUE
>
> Yes, below is the entry. And actually in the guide you linked 
> ntGroupCreateNewGroup value is "on" in the console section and "true" 
> in command line section. I guess both are okay. I did try both values.
>
> dn: cn=stilltesting,ou=People,dc=domain,dc=com
> ntGroupCreateNewGroup: true
> description: stilltesting
> objectClass: top
> objectClass: groupofuniquenames
> objectClass: ntgroup
> uniqueMember: uid=btab,ou=People,dc=domain,dc=com
> ntUserDomainId: stilltesting
> cn: stilltesting
>
> Logs after incremental update (which doesn't work):
>
> [10/Dec/2012:08:45:34 +0200] agmt="cn=winsync" (adtest:636) - session 
> start: anchorcsn=50c1bec7000000010000
> [10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - changelog program 
> - agmt="cn=winsync" (adtest:636): CSN 50c1bec7000000010000 found, 
> position set for replay
> [10/Dec/2012:08:45:34 +0200] agmt="cn=winsync" (adtest:636) - load=1 
> rec=1 csn=50c5850f000000010000
start
> [10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): windows_replay_update: Looking at modify operation local 
> dn="cn=stilltesting,ou=People,dc=domain,dc=com" (ours,not user,group)
> [10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): map_entry_dn_outbound: looking for AD entry for DS 
> dn="cn=stilltesting,ou=People,dc=domain,dc=com" guid="(null)"
> [10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): map_entry_dn_outbound: looking for AD entry for DS 
> dn="cn=stilltesting,ou=People,dc=domain,dc=com" username="stilltesting"
> [10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): map_entry_dn_outbound: entry not found - rc 0
> [10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): windows_replay_update: Processing modify operation local 
> dn="cn=stilltesting,ou=People,dc=domain,dc=com" remote 
> dn="cn=stilltesting,cn=Users,dc=domain,dc=com"

This sequence looks like it is attempting to replay a modify operation 
on the DS entry cn=stilltesting,ou=People,dc=domain,dc=com but it cannot 
find the corresponding AD entry.  So the operation fails.

> [10/Dec/2012:08:45:34 +0200] agmt="cn=winsync" (adtest:636) - 
> clcache_load_buffer: rc=-30988
> [10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): No more updates to send (cl5GetNextOperationToReplay)
> [10/Dec/2012:08:45:34 +0200] agmt="cn=winsync" (adtest:636) - session 
> end: state=5 load=1 sent=1 skipped=0
> [10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): Beginning linger on the connection
> [10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): State: sending_updates -> wait_for_changes
> [10/Dec/2012:08:46:35 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): Linger timeout has expired on the connection
> [10/Dec/2012:08:46:35 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): Disconnected from the consumer
> [10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): State: wait_for_changes -> wait_for_changes
> [10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): State: wait_for_changes -> ready_to_acquire_replica
> [10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): Trying secure slapi_ldap_init_ext
> [10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): binddn = cn=replication manager,cn=Users,dc=domain,dc=com,
> [10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): No linger to cancel on the connection
> [10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): State: ready_to_acquire_replica -> sending_updates
> [10/Dec/2012:08:48:11 +0200] - _cl5PositionCursorForReplay 
> (agmt="cn=winsync" (adtest:636)): Consumer RUV:
> [10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): {replicageneration} 505ae68e000000010000
> [10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): {replica 1 ldap://ldapnew.domain.com:389} 
> 505aedad000000010000 50c5850f000000010000 50c5850e
> [10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): {replica 2 ldap://ldapnew2.domain.com:389}
> [10/Dec/2012:08:48:11 +0200] - _cl5PositionCursorForReplay 
> (agmt="cn=winsync" (adtest:636)): Supplier RUV:
> [10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): {replicageneration} 505ae68e000000010000
> [10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): {replica 1 ldap://ldapnew.domain.com:389} 
> 505aedad000000010000 50c5850f000000010000 50c5850e
> [10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): {replica 2 ldap://ldapnew2.domain.com:389}
> [10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): No changes to send
>
>
> Logs after full manual update (which works):
>
> [10/Dec/2012:09:12:47 +0200] agmt="cn=winsync" (adtest:636) - load=1 
> rec=1 csn=50c58b70000000010000
> [10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): windows_replay_update: Looking at rename operation local 
> dn="cn=stilltesting,ou=People,dc=domain,dc=com" (ours,not user,group)
> [10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): map_entry_dn_outbound: looking for AD entry for DS 
> dn="cn=stilltesting-group,ou=People,dc=domain,dc=com" 
> guid="52dfaf022d5e4b49b8f7899f9e4b5c87"
> [10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): map_entry_dn_outbound: return code 0 from search for AD 
> entry dn="<GUID=52dfaf022d5e4b49b8f7899f9e4b5c87>" or 
> dn="CN=stilltesting,CN=Users,dc=domain,dc=com"
> [10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): windows_replay_update: Processing rename operation local 
> dn="cn=stilltesting,ou=People,dc=domain,dc=com" remote 
> dn="<GUID=52dfaf022d5e4b49b8f7899f9e4b5c87>"

winsync doesn't replay simple entry name change operations since the DS 
and AD entries use a different naming scheme

> [10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): Consumer failed to replay change (uniqueid 
> 2adc1381-405511e2-9418a8cb-3212cedb, CSN 50c58b70000000010000): 
> Success. Skipping.
> [10/Dec/2012:09:12:47 +0200] agmt="cn=winsync" (adtest:636) - load=1 
> rec=2 csn=50c58b70000200010000
> [10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): windows_replay_update: Looking at modify operation local 
> dn="cn=stilltesting-group,ou=People,dc=domain,dc=com" (ours,not 
> user,group)
> [10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): map_entry_dn_outbound: looking for AD entry for DS 
> dn="cn=stilltesting-group,ou=People,dc=domain,dc=com" 
> guid="52dfaf022d5e4b49b8f7899f9e4b5c87"
> [10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): map_entry_dn_outbound: return code 0 from search for AD 
> entry dn="<GUID=52dfaf022d5e4b49b8f7899f9e4b5c87>" or 
> dn="CN=stilltesting,CN=Users,dc=domain,dc=com"
> [10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): windows_replay_update: Processing modify operation local 
> dn="cn=stilltesting-group,ou=People,dc=domain,dc=com" remote 
> dn="<GUID=52dfaf022d5e4b49b8f7899f9e4b5c87>"

This looks like there were no mods to send, otherwise, it would have 
printed the list of modifications.

> [10/Dec/2012:09:12:47 +0200] agmt="cn=winsync" (adtest:636) - 
> clcache_load_buffer: rc=-30988
> [10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): No more updates to send (cl5GetNextOperationToReplay)
> [10/Dec/2012:09:12:47 +0200] agmt="cn=winsync" (adtest:636) - session 
> end: state=5 load=1 sent=2 skipped=0
> [10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): Beginning linger on the connection
> [10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): State: sending_updates -> wait_for_changes
> [10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): State: wait_for_changes -> wait_for_changes
> [10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): State: wait_for_changes -> ready_to_acquire_replica
> [10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): Cancelling linger on the connection
> [10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): State: ready_to_acquire_replica -> sending_updates
> [10/Dec/2012:09:13:11 +0200] - _cl5PositionCursorForReplay 
> (agmt="cn=winsync" (adtest:636)): Consumer RUV:
> [10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): {replicageneration} 505ae68e000000010000
> [10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): {replica 1 ldap://ldapnew.domain.com:389} 
> 505aedad000000010000 50c58b70000200010000 50c58b6f
> [10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): {replica 2 ldap://ldapnew2.domain.com:389}
> [10/Dec/2012:09:13:11 +0200] - _cl5PositionCursorForReplay 
> (agmt="cn=winsync" (adtest:636)): Supplier RUV:
> [10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): {replicageneration} 505ae68e000000010000
> [10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): {replica 1 ldap://ldapnew.domain.com:389} 
> 505aedad000000010000 50c58b70000200010000 50c58b6f
> [10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): {replica 2 ldap://ldapnew2.domain.com:389}
> [10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): No changes to send
> [10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): Beginning linger on the connection
> [10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
> (adtest:636): State: sending_updates -> wait_for_changes
>
> -Matti
>
>
>
> -- 
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

More information about the 389-users mailing list