On 02/09/2011 06:39 AM, remy d1 wrote:
Hi Rich,
I reinstalled all my server from scratch and reimported all my
data (with cert files).
If I try to synchronize my data, I can import users from AD to
389-DS but I can't do the opposite. My 389 server replica is
always in status "in progress" with "replica acquired successfully
: incremental update started", but it can't finish the
synchronization job.
Sometimes you have to tell winsync to do a full resync a few times
before it finally works.
I could also continue to launch request to my AD server from my
389-DS server (ldapsearch...). I successfully add a user to my AD
with Apache Directory Studio (installed on my 389-DS server) with
the AD synchronizing account. So, it's not an access problem.
Moreover I added a schema on my 389-DS for my directory that is
not present on my AD. Do you think I have to add this schema to AD
or is the synchronization done only on AD required attributes ?
No. The schema that winsync uses is hard coded in 389 - you cannot
extend it or change it - it should work with AD, no changes to AD
should be required.
Or,
Is it a cert file problem on my AD ?
or ...?
Any idea would be appreciated
Regards-
2011/1/25 Rich Megginson <rmeggins@xxxxxxxxxx>
On 01/25/2011 01:29 AM, remy d1 wrote:
Hi Rich,
I tried to raise the log level, but when I did it, I was
not able to stop/restart my dirsrv service.
What log level did you use? What error messages did you see
when you attempted to stop/restart the service? Anything in
the errors log?
To stop it, I must kill the
process and remove the pid file. Then I could start it.
In my error logs, there is a lot of informations :
[root@KingKong ~]# tail
/var/log/dirsrv/slapd-KingKong/errors
[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin -
changelog program - cl5GetOperationCount: could not
get DB object for replica
[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin -
changelog program - _cl5GetDBFile: no DB object found
for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4
[24/Jan/2011:16:18:30 +0100] NSMMReplicationPlugin -
changelog program - cl5GetOperationCount: could not
get DB object for replica
[24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin -
changelog program - _cl5GetDBFile: no DB object found
for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4
[24/Jan/2011:16:18:40 +0100] NSMMReplicationPlugin -
changelog program - cl5GetOperationCount: could not
get DB object for replica
[24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin -
changelog program - _cl5GetDBFile: no DB object found
for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4
[24/Jan/2011:16:18:41 +0100] NSMMReplicationPlugin -
changelog program - cl5GetOperationCount: could not
get DB object for replica
[24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin -
changelog program - _cl5GetDBFile: no DB object found
for database
/var/lib/dirsrv/slapd-KingKong/changelogdb/1d934402-27b111e0-b651ef2e-02b602d3_4d0b28870000ffff0000.db4
[24/Jan/2011:16:18:42 +0100] NSMMReplicationPlugin -
changelog program - cl5GetOperationCount: could not
get DB object for replica
[24/Jan/2011:16:24:18 +0100] NSMMReplicationPlugin -
changelog program - cl5ExportLDIF: failed to locate
changelog file for replica at (dc=mydomain,dc=com)
This problem is very similar to this post :
Although I have the last version of 389-DS.
Are you sure this is the correct post you wanted to refer
to? Because this is a patch commit for a fix when moving
the changelog directory - did you move the changelog
directory? Because you did not mention it in your earlier
post.
I think I have also some troubleshooting with my
hostname because bind is not configured. However, I have
choosen to put it my /etc/hosts file
[root@KingKong ~]# nl
/etc/host.conf
ÂÂÂÂ 1ÂÂÂ multi on
ÂÂÂÂ 2ÂÂÂ order hosts,bind
hostname command reply the full "fqdn" if I choose the
option --all-fqdn, contrary to the option "--fqdn". The
reply is just my hostname without the domain. By the
way, if I say
Eveything is now good for my hostname but I can not
launch my 389-console. I think the adress to connect is
not ok... I do not know if this problem is linked to the
previous problems...
So, I do #hostname KingKong
Then, I launch the console again. Now, if I try to
initiate a full synchronization, I can see (and I am
still stuck on it) the window "please wait while data is
being synchronized...", but nothing else... Data are not
synchronized and I do not see anything in my Windows
event viewer while replica agreement seems to be ok and
PassSync service is installed...
It is very difficult to change your hostname after you have
configured the admin server and console. I suggest starting
over from scratch, and first make sure your hostname is
correct.
I also suggest using http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Windows_Sync
to configure Windows Sync.
Thanks for help,
-Regards
2011/1/21 Rich Megginson <rmeggins@xxxxxxxxxx>
Date:
Fri, 21 Jan 2011 10:25:56 +0100
Hi Rich,
Thanks for this usefull link.
I have successfully initiate replica between
Windows AD and my server 389-DS. Ldapsearch is
working. But even if everything seems to be
ok, the update does not work and I do not see
any error in the log files... So, my AD server
stay empty, the accounts are not migrate...
Here you have my access log file which is more
verbose... ( mydomain.com
for the example) :
<snip>
Obviously I am connecting
to the server 389-DS itself whereas it can
resolve the DNS name of my Windows server...
There is no error in the AD event viewer while I
could see errors on it when it was misconfigured
(like DirSync errors)... So, basically, the
Windows server is contacted to my DS-Server over
2 different networks.
Do you think I have to open the ports described
in my message ?
-Regards.
I don't know. There is no winsync information in
the access log. Note that the access log records
client accesses to the directory server, and in
winsync, the directory server itself acts as a
client to AD, so winsync will log nothing in the
access log. The errors log could be helpful, and
especially using the replication log level (which
is also used for winsync logging). The Windows
Event Viewer is useless for winsync issues.
|
