[389-users] Problem sync groups with Active Directory

Carsten Grzemba grzemba at contac-dt.de
Thu Oct 18 14:12:04 UTC 2012 

AD 2003 use the mssfu30 scheme not the rfc scheme. Is the posix_winsync_plugin active? There is a config attribute to set for this old scheme.

Am 18.10.12, schrieb Juan Asensio Sánchez  <okelet at gmail.com>:
> Hi
> 
> Using 389DS 1.2.5 on CentOS 5.5 i385, I need to sync users and groups
> from 389DS to Active Directory (Windows Server 2003). I the 389DS side
> I have this:
> 
> dn: cn=ALERGIAS_gestion,ou=Groups,o=XXXX,dc=XXXX,dc=es
> objectClass: groupOfNames
> objectClass: groupOfUniqueNames
> objectClass: ntGroup
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> objectClass: top
> cn: ALERGIAS_gestion
> gidNumber: 130541
> ntUserDomainId: ALERGIAS_gestion
> sambaGroupType: 2
> sambaSID: S-1-5-21-2896031208-2582234988-3810615631-261845
> description: Personal de D.GESTION de ALERGIAS del XXXX
> displayName: Personal de D.GESTION de ALERGIAS del XXXXX
> ntGroupCreateNewGroup: true
> ntGroupDeleteGroup: true
> ou: ou=ALERGIAS,ou=PERIFERICA,ou=D. GESTION,o=XXXX,dc=XXXX,dc=es
> 
> Base DS subtree in the replication agreement is o=XXXX,dc=XXXX,dc=es,
> and Windows Subtree is "ou=XXXX,ou=LDAP,dc=pruebas,dc=local", so I had
> to create manually the OUs
> "ou=People,ou=XXXX,ou=LDAP,dc=pruebas,dc=local" and
> "ou=Groups,ou=XXXX,ou=LDAP,dc=pruebas,dc=local" (user sync works
> fine). When I try to sync data, doing a full re-syncronization from
> the console, I get tjis werror when the server is going to sync the
> group:
> 
> 
> [18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
> agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
> windows_process_total_entry: Looking
> dn="cn=ALERGIAS_gestion,ou=Groups,o=XXXXX,dc=XXXXX,dc=es" (ours)
> [18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
> agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
> map_entry_dn_outbound: looking for AD entry for DS
> dn="cn=ALERGIAS_gestion,ou=Groups,o=XXXXX,dc=XXXXX,dc=es"
> guid="(null)"
> [18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
> agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
> map_entry_dn_outbound: looking for AD entry for DS
> dn="cn=ALERGIAS_gestion,ou=Groups,o=XXXXX,dc=XXXXX,dc=es"
> username="ALERGIAS_gestion"
> [18/Oct/2012:13:09:58 +0200] - Calling windows entry search request plugin
> [18/Oct/2012:13:09:58 +0200] - windows_search_entry: recieved 1
> messages, 0 entries, 0 references
> [18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
> agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
> map_entry_dn_outbound: entry not found - rc 0
> [18/Oct/2012:13:09:58 +0200] - Windows sync entry: Created new remote entry:
>  dn: cn=ALERGIAS_gestion,ou=Groups,ou=XXXXX,ou=LdapPeople,dc=pruebas,dc=local
> objectClass: top
> objectClass: group
> sAMAccountName: ALERGIAS_gestion
> ou: ou=ALERGIAS,ou=PERIFERICA,ou=D. GESTION,o=XXXXX,dc=XXXXX,dc=es
> description: Personal de D.GESTION de ALERGIAS del XXXXX
> 
> [18/Oct/2012:13:09:58 +0200] - Attempting to add entry
> cn=ALERGIAS_gestion,ou=Groups,ou=XXXXX,ou=LdapPeople,dc=pruebas,dc=local
> to AD for local entry
> cn=ALERGIAS_gestion,ou=Groups,o=XXXXX,dc=XXXXX,dc=es
> [18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
> agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636): Received
> result code 65 (0000207D: UpdErr: DSID-03150F9C, problem 6002
> (OBJ_CLASS_VIOLATION), data 0 ) for add operation
> [18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
> agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
> windows_replay_update: Cannot replay add operation.
> [18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
> agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636): Beginning
> linger on the connection
> [18/Oct/2012:13:09:58 +0200] NSMMReplicationPlugin -
> agmt="cn=XXXXX-LDAPPruebas-WinAD" (grsgscvant01f6:636):
> windows_tot_run: failed to obtain data to send to the consumer; LDAP
> error - 1
> 
> It looks like trying to create a group (objectClass group), but with
> user attributes (sAMAccountName)... Any idea? Is the source group bad
> created?
> 
> Regards and thanks in advance.
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
> 
--
Carsten Grzemba
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20121018/ba16a9ab/attachment.html>

More information about the 389-users mailing list