Re: [389-users] loss of group members in AD after initialization of sync

[Jean-Noel Chardron <Jean-Noel.Chardron@xxxxxxxxxxxx>]

Richard Megginson a écrit :
> ----- "jean-Noël Chardron" <Jean-Noel.Chardron@xxxxxxxxxxxx> wrote:
>
>   
> > hello,
> >
> > When I initiate a first full synchronization of DS and AD I lost
> > members 
> > in groups
> >
> > error log shows :
> >
> > [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: looking for local entry matching
> >
> > AD entry [CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
> > [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
> >
> > [c0e73a492ffbc04c9e85781a68f45023]
> > [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
> > [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid
> > [SFC]
> > [...]
> > [10/Jun/2009:15:00:11 +0200] - Windows sync entry: Adding new local 
> > entry dn: cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
> > objectClass: top
> > objectClass: groupofuniquenames
> > objectClass: ntGroup
> > ntGroupDeleteGroup: true
> > cn: SFC
> > description: Service Financier et Comptable
> > uniqueMember: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, 
> > dc=cnrs, dc=
> >  fr
> > uniqueMember:[...]
> > follow 10 members
> >
> > [...]
> > [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - received entry
> > from 
> > dirsync: CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
> > [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: looking for local entry matching
> >
> > AD entry [CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
> > [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
> >
> > [0cdf6e627d64684cb10c70b3b8753fda]
> > [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
> > [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid
> > [MX]
> > [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: problem looking for username:
> > -1
> > [10/Jun/2009:15:00:24 +0200] - Windows sync entry: Adding new local 
> > entry dn: uid=MX,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs,
> > dc=fr
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalperson
> > objectClass: inetOrgPerson
> > objectClass: ntUser
> > ntUserDeleteAccount: true
> > uid: MX
> > sn: MX
> > givenName: Guillaume
> > cn: MX
> > ntUserCodePage: 0
> > ntUserAcctExpires: 0
> > ntUserDomainId: MX
> > mail: Guillaume.MX@xxxxxxxxxxxx
> > ntUniqueId: 0cdf6e627d64684cb10c70b3b8753fda
> >
> >
> > [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): windows_process_total_entry: Looking 
> > dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" (ours)
> > [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS 
> > dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" 
> > guid="c0e73a492ffbc04c9e85781a68f45023"
> > [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS 
> > dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr"
> > username="SFC"
> > [10/Jun/2009:15:01:34 +0200] - Calling windows entry search request
> > plugin
> > [10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2 
> > messages, 1 entries, 0 references
> > [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_outbound: found AD entry 
> > dn="CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr"
> > [10/Jun/2009:15:01:34 +0200] - Calling windows entry search request
> > plugin
> > [10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2 
> > messages, 1 entries, 0 references
> > [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - 
> > windows_generate_update_mods: 
> > CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, description : 
> > values are equal
> > [10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found for
> >
> > uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
> > [10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found for
> > uid=
> >
> > [follow 10 entries,]
> >
> > [10/Jun/2009:15:01:35 +0200] - Calling windows entry search request
> > plugin
> > [10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2 
> > messages, 1 entries, 0 references
> > [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: looking for local entry matching
> >
> > AD entry
> > [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
> > [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
> >
> > [72a7171ffaa0d84a9ca4ec2d90a4ab2b]
> > [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
> > [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid 
> > [essaibug]
> > [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: problem looking for username:
> > -1
> > [10/Jun/2009:15:01:35 +0200] - Calling windows entry search request
> > plugin
> > [10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2 
> > messages, 1 entries, 0 references
> >
> > [10/Jun/2009:15:01:38 +0200] NSMMReplicationPlugin - 
> > windows_generate_update_mods: 
> > CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, sAMAccountName
> > : 
> > values are equal
> > [10/Jun/2009:15:01:38 +0200] - smod - windows sync
> > [10/Jun/2009:15:01:38 +0200] - smod 0 - delete: member
> > [10/Jun/2009:15:01:38 +0200] - smod 0 - value: member: 
> > CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
> > [10/Jun/2009:15:01:38 +0200] - smod 1 - delete: member
> > [10/Jun/2009:15:01:38 +0200] - smod 1 - value: member:
> >
> > [follow the 10 entries]
> >
> > [10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin - 
> > windows_update_remote_entry: modifying entry 
> > CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
> > [10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): Received result code 0 () for modify operation
> >
> > [10/Jun/2009:15:01:55 +0200] - map_dn_values: no local entry found for
> >
> > uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
> >
> > [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - received entry
> > from 
> > dirsync:
> > CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
> > [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: looking for local entry matching
> >
> > AD entry
> > [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
> > [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
> >
> > [72a7171ffaa0d84a9ca4ec2d90a4ab2b]
> > [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
> > [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid 
> > [essaibug]
> > [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_inbound: problem looking for username:
> > -1
> > [10/Jun/2009:15:05:52 +0200] - Windows sync entry: Adding new local 
> > entry dn: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs,
> > dc=fr
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalperson
> > objectClass: inetOrgPerson
> > objectClass: ntUser
> > ntUserDeleteAccount: true
> > uid: essaibug
> > sn: essaibug
> > cn: essaibug
> > ntUserCodePage: 0
> > ntUserAcctExpires: 9223372036854775807
> > ntUserDomainId: essaibug
> > ntUniqueId: 72a7171ffaa0d84a9ca4ec2d90a4ab2b
> >
> > [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS 
> > dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs,
> > dc=fr" 
> > guid="72a7171ffaa0d84a9ca4ec2d90a4ab2b"
> > [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS 
> > dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs,
> > dc=fr" 
> > username="essaibug"
> > [10/Jun/2009:15:07:13 +0200] - Calling windows entry search request
> > plugin
> > [10/Jun/2009:15:07:13 +0200] - windows_search_entry: recieved 2 
> > messages, 1 entries, 0 references
> > [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin -
> > agmt="cn=zebigbos" 
> > (zebigbos:636): map_entry_dn_outbound: found AD entry 
> > dn="CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr"
> >
> > (following the translation of google)
> > I suppose that during the initialization of the replication, groups
> > have 
> > lost members (group sfc) with the logs in order explicit removal of
> > the 
> > member in the group, sent by the DS to AD. The most likely explanation
> >
> > and that the process is sequential but with a dispatch from AD to 
> > DS-anarchic, with a group can be created before members in DS users. 
> > these are leading to a later stage in a request for suppresssion AD DS
> >
> > to members of the group that did not exist before the creation of the
> >
> > group. This is "normal" since DS checks the consistency of information
> >
> > and therefore the group members. The solution to this problem is to 
> > create manually in the AD to add the lost members in the group or may
> > be 
> > to initialize sync twice in a closed time.
> >
> > The administrator of the Windows server and the AD insulted me as a 
> > result of this blunder
> > I asked him if he had a backup of the AD. he had not
> >
> >     
>
> So let me see if I understand what is happening:
> DS attempts to sync some groups from AD - since the user does not exist, it deletes the member from the group.  Then it syncs the group back to AD, and deletes those users from AD.
> Is that correct?
> I suppose a workaround would be to make sure all of the users are first added to DS, then sync the groups.
>   
yes, that is correct.

> > --
> >
> > Jean-Noel Chardron
> >
> >
> > --
> > 389 users mailing list
> > 389-users@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >     
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   


--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users