Zdenek Sobotka via FreeIPA-users wrote:
Hello, I would need advice on setting up account synchronization between Windows10 testing instance with AD and FREEIPA. I successfully imported CA certificates for trust between AD and FREEIPA, ran ldapsearch, which I can use to read information from Windows AD. Now I want to synchronize data accounts from AD to FREEIPA, using "ipa-replica-manage connect --winsync". In debug mode, I see that the synchronization is established, and also there is an attempt with data replication. Finally in the end, is written that the replica update "passed successfully". But no AD data was added, when I looked into FREEIPA.
Here is the log:
[root@freeipa ~]# ipa-replica-manage connect -d --verbose --winsync --no-lookup --binddn="cn=Administrator,cn=Users,dc=ngov,dc=local" --bindpw="H3sl0123456." --cacert=/etc/ipa/ca.crt --passsync="TESTTEST111" WIN-7G3BH6KDDHU.ngov.local Directory Manager password: ipa: DEBUG: Created connection context.ldap2_140493289808392 ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Destroyed connection context.ldap2_140493289808392 ipa: DEBUG: Starting external process ipa: DEBUG: args=['/bin/systemctl', 'stop', 'dirsrv@TEST-LOCAL.service'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Stop of dirsrv@TEST-LOCAL.service complete ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', 'CN=Certificate Authority,O=TEST.LOCAL', '-t', 'C,,', '-a', '-f', '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', 'CN=WIN-7G3BH6KDDHU.ngov.local', '-t', 'C,,', '-a', '-f', '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', 'CN=ngov-WIN-7G3BH6KDDHU-CA,DC=ngov,DC=local', '-t', 'C,,', '-a', '-f', '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=['/bin/systemctl', 'start', 'dirsrv@TEST-LOCAL.service'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=['/bin/systemctl', 'is-active', 'dirsrv@TEST-LOCAL.service'] ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active ipa: DEBUG: stderr= ipa: DEBUG: wait_for_open_ports: localhost [389] timeout 120 ipa: DEBUG: waiting for port: 389 ipa: DEBUG: SUCCESS: port: 389 ipa: DEBUG: Start of dirsrv@TEST-LOCAL.service complete ipa: DEBUG: Created connection context.ldap2_140493289808392 Added CA certificate /etc/ipa/ca.crt to certificate database for freeipa.TEST.local ipa: INFO: AD Suffix is: DC=ngov,DC=local ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://freeipa.TEST.local:636 conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fc7249c2c88> ipa: DEBUG: Add or update replica config cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping tree,cn=config ipa: DEBUG: No update to cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping tree,cn=config necessary The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=TEST,dc=local Windows PassSync system account exists, not resetting password ipa: DEBUG: Plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config' already 'uid=passsync,cn=sysaccounts,cn=etc,dc=TEST,dc=local' in passSyncManagersDNs ipa: DEBUG: Waiting up to 300 seconds for replication (ldaps://freeipa.TEST.local:636) cn=meToWIN-7G3BH6KDDHU.ngov.local,cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping tree,cn=config (objectclass=*) ipa: DEBUG: Entry found [LDAPEntry(ipapython.dn.DN('cn=meToWIN-7G3BH6KDDHU.ngov.local,cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping tree,cn=config'), {'objectClass': [b'nsDSWindowsReplicationAgreement', b'top'], 'cn': [b'meToWIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicaHost': [b'WIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicaPort': [b'389'], 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot': [b'dc=TEST,dc=local'], 'description': [b'me to WIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicatedAttributeList': [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], 'nsDS5ReplicaBindDN': [b'cn=Administrator,cn=Users,dc=ngov,dc=local'], 'nsDS5ReplicaTransportInfo': [b'TLS'], 'nsDS5ReplicaBindMethod': [b'simple'], 'nsds7WindowsReplicaSubtree': [b'cn=Users,DC=ngov,DC=local'], 'nsds7DirectoryReplicaSubtree': [b'cn=users,cn=accounts,dc=TEST,dc=local'], 'nsds7NewWinUserSyncEnabled': [b'true'], 'nsds7NewWinGroupSyncEnabled': [b'false'], 'nsds7WindowsDomain': [b'TEST.local'], 'nsDS5ReplicaCredentials': [b'{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUTVaRGxoTVRJNFpDMHhOVGt6TTJZNQ0KTmkwNU9HTTBNR0ZtTXkxaE56TTJaakUwTWdBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCRGJXVlFqdEZEY3k1RjFYTEMwT1V2TA==}gjvpjBG5R/xt7jkO7XzRPg=='], 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart': [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'], 'nsds5replicaChangesSentSinceStartup': [b''], 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions started since server startup'], 'nsds5replicaLastUpdateStatusJSON': [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success", "repl_rc": "0", "repl_rc_text": "replica acquired", "date": "2021-10-20T10:36:28Z", "message": "Error (0) No replication sessions started since server startup"}'], 'nsds5replicaUpdateInProgress': [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'], 'nsds5replicaLastInitEnd': [b'19700101000000Z']})] ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: Error (0) Replica acquired successfully: Incremental update started: start: 20211020103628: end: 20211020103628 ipa: INFO: Agreement is ready, starting replication . . . ipa: WARNING: This configuration ("--winsync") may imply that the log file contains clear text passwords. Please ensure that these files can be accessed only by trusted accounts. Log files are under /var/lib/dirsrv/slapd-TEST-LOCAL/cldb Starting replication, please wait until this has completed. Update succeeded Connected 'freeipa.TEST.local' to 'WIN-7G3BH6KDDHU.ngov.local' ipa: DEBUG: Destroyed connection context.ldap2_140493289808392 [root@freeipa ~]#
I will be happy for any helpful advice. Thanks.
I'd suggest enabling replication debugging to see what is going on: https://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting
rob