Re: 389 <=> AD group sync

Rich Megginson <rmeggins@xxxxxxxxxx> · Mon, 10 Dec 2012 15:55:18 -0700

On 12/10/2012 12:21 AM, Matti Alho wrote:
I noticed this:
dn="cn=stilltesting,cn=Users,dc=domain,dc=com" (not present,add not
allowed)

What could cause that? Some AD permissions? It's a bit weird since
full update works.

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Groups.html 

Does cn=stilltesting,cn=Users,dc=domain,dc=com have
ntGroupCreateNewGroup: TRUE

Yes, below is the entry. And actually in the guide you linked 
ntGroupCreateNewGroup value is "on" in the console section and "true" 
in command line section. I guess both are okay. I did try both values.

dn: cn=stilltesting,ou=People,dc=domain,dc=com
ntGroupCreateNewGroup: true
description: stilltesting
objectClass: top
objectClass: groupofuniquenames
objectClass: ntgroup
uniqueMember: uid=btab,ou=People,dc=domain,dc=com
ntUserDomainId: stilltesting
cn: stilltesting

Logs after incremental update (which doesn't work):

[10/Dec/2012:08:45:34 +0200] agmt="cn=winsync" (adtest:636) - session 
start: anchorcsn=50c1bec7000000010000
[10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - changelog program 
- agmt="cn=winsync" (adtest:636): CSN 50c1bec7000000010000 found, 
position set for replay
[10/Dec/2012:08:45:34 +0200] agmt="cn=winsync" (adtest:636) - load=1 
rec=1 csn=50c5850f000000010000
start
[10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): windows_replay_update: Looking at modify operation local 
dn="cn=stilltesting,ou=People,dc=domain,dc=com" (ours,not user,group)
[10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): map_entry_dn_outbound: looking for AD entry for DS 
dn="cn=stilltesting,ou=People,dc=domain,dc=com" guid="(null)"
[10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): map_entry_dn_outbound: looking for AD entry for DS 
dn="cn=stilltesting,ou=People,dc=domain,dc=com" username="stilltesting"
[10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): map_entry_dn_outbound: entry not found - rc 0
[10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): windows_replay_update: Processing modify operation local 
dn="cn=stilltesting,ou=People,dc=domain,dc=com" remote 
dn="cn=stilltesting,cn=Users,dc=domain,dc=com"

This sequence looks like it is attempting to replay a modify operation 
on the DS entry cn=stilltesting,ou=People,dc=domain,dc=com but it cannot 
find the corresponding AD entry.  So the operation fails.

[10/Dec/2012:08:45:34 +0200] agmt="cn=winsync" (adtest:636) - 
clcache_load_buffer: rc=-30988
[10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): No more updates to send (cl5GetNextOperationToReplay)
[10/Dec/2012:08:45:34 +0200] agmt="cn=winsync" (adtest:636) - session 
end: state=5 load=1 sent=1 skipped=0
[10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): Beginning linger on the connection
[10/Dec/2012:08:45:34 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): State: sending_updates -> wait_for_changes
[10/Dec/2012:08:46:35 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): Linger timeout has expired on the connection
[10/Dec/2012:08:46:35 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): Disconnected from the consumer
[10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): State: wait_for_changes -> wait_for_changes
[10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): State: wait_for_changes -> ready_to_acquire_replica
[10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): Trying secure slapi_ldap_init_ext
[10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): binddn = cn=replication manager,cn=Users,dc=domain,dc=com,
[10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): No linger to cancel on the connection
[10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): State: ready_to_acquire_replica -> sending_updates
[10/Dec/2012:08:48:11 +0200] - _cl5PositionCursorForReplay 
(agmt="cn=winsync" (adtest:636)): Consumer RUV:
[10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replicageneration} 505ae68e000000010000
[10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replica 1 ldap://ldapnew.domain.com:389} 
505aedad000000010000 50c5850f000000010000 50c5850e
[10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replica 2 ldap://ldapnew2.domain.com:389}
[10/Dec/2012:08:48:11 +0200] - _cl5PositionCursorForReplay 
(agmt="cn=winsync" (adtest:636)): Supplier RUV:
[10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replicageneration} 505ae68e000000010000
[10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replica 1 ldap://ldapnew.domain.com:389} 
505aedad000000010000 50c5850f000000010000 50c5850e
[10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replica 2 ldap://ldapnew2.domain.com:389}
[10/Dec/2012:08:48:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): No changes to send

Logs after full manual update (which works):

[10/Dec/2012:09:12:47 +0200] agmt="cn=winsync" (adtest:636) - load=1 
rec=1 csn=50c58b70000000010000
[10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): windows_replay_update: Looking at rename operation local 
dn="cn=stilltesting,ou=People,dc=domain,dc=com" (ours,not user,group)
[10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): map_entry_dn_outbound: looking for AD entry for DS 
dn="cn=stilltesting-group,ou=People,dc=domain,dc=com" 
guid="52dfaf022d5e4b49b8f7899f9e4b5c87"
[10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): map_entry_dn_outbound: return code 0 from search for AD 
entry dn="<GUID=52dfaf022d5e4b49b8f7899f9e4b5c87>" or 
dn="CN=stilltesting,CN=Users,dc=domain,dc=com"
[10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): windows_replay_update: Processing rename operation local 
dn="cn=stilltesting,ou=People,dc=domain,dc=com" remote 
dn="<GUID=52dfaf022d5e4b49b8f7899f9e4b5c87>"

winsync doesn't replay simple entry name change operations since the DS 
and AD entries use a different naming scheme

[10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): Consumer failed to replay change (uniqueid 
2adc1381-405511e2-9418a8cb-3212cedb, CSN 50c58b70000000010000): 
Success. Skipping.
[10/Dec/2012:09:12:47 +0200] agmt="cn=winsync" (adtest:636) - load=1 
rec=2 csn=50c58b70000200010000
[10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): windows_replay_update: Looking at modify operation local 
dn="cn=stilltesting-group,ou=People,dc=domain,dc=com" (ours,not 
user,group)
[10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): map_entry_dn_outbound: looking for AD entry for DS 
dn="cn=stilltesting-group,ou=People,dc=domain,dc=com" 
guid="52dfaf022d5e4b49b8f7899f9e4b5c87"
[10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): map_entry_dn_outbound: return code 0 from search for AD 
entry dn="<GUID=52dfaf022d5e4b49b8f7899f9e4b5c87>" or 
dn="CN=stilltesting,CN=Users,dc=domain,dc=com"
[10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): windows_replay_update: Processing modify operation local 
dn="cn=stilltesting-group,ou=People,dc=domain,dc=com" remote 
dn="<GUID=52dfaf022d5e4b49b8f7899f9e4b5c87>"

This looks like there were no mods to send, otherwise, it would have 
printed the list of modifications.

[10/Dec/2012:09:12:47 +0200] agmt="cn=winsync" (adtest:636) - 
clcache_load_buffer: rc=-30988
[10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): No more updates to send (cl5GetNextOperationToReplay)
[10/Dec/2012:09:12:47 +0200] agmt="cn=winsync" (adtest:636) - session 
end: state=5 load=1 sent=2 skipped=0
[10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): Beginning linger on the connection
[10/Dec/2012:09:12:47 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): State: sending_updates -> wait_for_changes
[10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): State: wait_for_changes -> wait_for_changes
[10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): State: wait_for_changes -> ready_to_acquire_replica
[10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): Cancelling linger on the connection
[10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): State: ready_to_acquire_replica -> sending_updates
[10/Dec/2012:09:13:11 +0200] - _cl5PositionCursorForReplay 
(agmt="cn=winsync" (adtest:636)): Consumer RUV:
[10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replicageneration} 505ae68e000000010000
[10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replica 1 ldap://ldapnew.domain.com:389} 
505aedad000000010000 50c58b70000200010000 50c58b6f
[10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replica 2 ldap://ldapnew2.domain.com:389}
[10/Dec/2012:09:13:11 +0200] - _cl5PositionCursorForReplay 
(agmt="cn=winsync" (adtest:636)): Supplier RUV:
[10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replicageneration} 505ae68e000000010000
[10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replica 1 ldap://ldapnew.domain.com:389} 
505aedad000000010000 50c58b70000200010000 50c58b6f
[10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replica 2 ldap://ldapnew2.domain.com:389}
[10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): No changes to send
[10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): Beginning linger on the connection
[10/Dec/2012:09:13:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): State: sending_updates -> wait_for_changes

-Matti

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users