If you create a sync agreement between FreeIPA and Active Directory and then add the oneWaySync property to the agreement, it invalidates the agreement.
try to create sync agreement
[root dc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net" --bindpw a5Ryj2N4EAvjFLJelWOQ --passsync MVQXHEturhjqoFXGvUcH --cacert /etc/openldap/cacerts/addomain.cer officedc2.office.addomain.net --win-subtree "OU=Staff,DC=office,DC=addomain,DC=net" -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/addomain.cer to certificate database for dc1.ipadomain.net ipa: INFO: AD Suffix is: DC=office,DC=addomain,DC=net The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress, 57 seconds elapsed Update succeeded Connected 'dc1.ipadomain.net' to 'officedc2.office.addomain.net'
confirm that init values are non zero
[root dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config Enter LDAP Password: ldap_bind: Invalid credentials (49) [root dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config objectclass=nsDSWindowsReplicationAgreement Enter LDAP Password: dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain \2Cdc\3Dnet,cn=mapping tree,cn=config nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net cn: meToofficedc2.office.addomain.net nsds7NewWinGroupSyncEnabled: false objectClass: nsDSWindowsReplicationAgreement objectClass: top nsDS5ReplicaTransportInfo: TLS description: me to officedc2.office.addomain.net nsDS5ReplicaRoot: dc=ipadomain,dc=net nsDS5ReplicaHost: officedc2.office.addomain.net nsds5replicaTimeout: 120 nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net nsds7NewWinUserSyncEnabled: true nsDS5ReplicaPort: 389 nsds7WindowsDomain: ipadomain.net nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicaBindMethod: simple nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= nsds7DirsyncCookie:: TVNEUwMAAADdp7tcGKLQAQAAAAAAAAAAYAEAAAVEoQAAAAAAAAAAAAAAA AAFRKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 13PwAAAAAADGzFNzznrESIxHzA74fbs72tMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+9xBIgAAAAAA4qTQaC46/Ua4KXgP /ixNcdrfVAAAAAAAWowbgYD1akibZ+sCul5C4e9kLQAAAAAAxSO4iapVmEGQ6R23bgLQiwVEoQAAA AAAogC6jFcyFUmhBp4B7FkaBQwfnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150608182349Z nsds5replicaLastUpdateEnd: 20150608182349Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20150608182251Z nsds5replicaLastInitEnd: 20150608182349Z nsds5replicaLastInitStatus: 0 Total update succeeded
now i update the ldap tree to do a one way sync with windows
----------- Expanding base 'cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain\2Cdc\3Dnet,cn=mapping tree,cn=config'... Getting 1 entries: Dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain\2Cdc\3Dnet,cn=mapping tree,cn=config cn: meToofficedc2.office.addomain.net; description: me to officedc2.office.addomain.net; nsds50ruv (3): {replicageneration} 553fe9bb000000040000; {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9000000040000 5575dff8000000040000; {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c4000000030000 557244db001700030000; nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net; nsDS5ReplicaBindMethod: simple; nsds5replicaChangesSentSinceStartup: 4:35/0 ; nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdmI0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=; nsDS5ReplicaHost: officedc2.office.addomain.net; nsds5replicaLastInitEnd: 0; nsds5replicaLastInitStart: 0; nsds5replicaLastUpdateEnd: 20150608183351Z; nsds5replicaLastUpdateStart: 20150608183350Z; nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded; nsDS5ReplicaPort: 389; nsds5replicareapactive: 0; nsDS5ReplicaRoot: dc=ipadomain,dc=net; nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount; nsds5replicaTimeout: 120; nsDS5ReplicaTransportInfo: TLS; nsds5replicaUpdateInProgress: FALSE; nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net; nsds7DirsyncCookie: <ldp: Binary blob 420 bytes>; nsds7NewWinGroupSyncEnabled: false; nsds7NewWinUserSyncEnabled: true; nsds7WindowsDomain: ipadomain.net; nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net; nsruvReplicaLastModified (2): {replica 4 ldap://dc1.ipadomain.net:389} 5575df5e; {replica 3 ldap://dc2.ipadomain.net:389} 00000000; objectClass (2): nsDSWindowsReplicationAgreement; top; oneWaySync: fromWindows; ----------- [root dc1 ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting ipa_memcached Service Restarting httpd Service Restarting pki-tomcatd Service Restarting smb Service Restarting winbind Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful
now run search to see if agreement is still valid
[root dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config objectclass=nsDSWindowsReplicationAgreement Enter LDAP Password: dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain \2Cdc\3Dnet,cn=mapping tree,cn=config nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net cn: meToofficedc2.office.addomain.net nsds7NewWinGroupSyncEnabled: false objectClass: nsDSWindowsReplicationAgreement objectClass: top nsDS5ReplicaTransportInfo: TLS description: me to officedc2.office.addomain.net nsDS5ReplicaRoot: dc=ipadomain,dc=net nsDS5ReplicaHost: officedc2.office.addomain.net nsds5replicaTimeout: 120 nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service Account,dc=office,dc=addomain,dc=net nsds7NewWinUserSyncEnabled: true nsDS5ReplicaPort: 389 nsds7WindowsDomain: ipadomain.net nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicaBindMethod: simple nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E= nsds7DirsyncCookie:: TVNEUwMAAAAJUnAmGaLQAQAAAAAAAAAAYAEAAIREoQAAAAAAAAAAAAAAA ACERKEAAAAAAMUjuImqVZhBkOkdt24C0IsBAAAAAAAAAA4AAAAAAAAAY4GwFkVcvEmMMExrVon4d6 13PwAAAAAADGzFNzznrESIxHzA74fbs9WwMAAAAAAAOnFoO5OE2E27lR/g4EcjQTLbIwAAAAAAuEm PWjYok0qGS0HM/+TDmK7FgAMAAAAA6PTFXvAdnkaJSIkZT1lS+zVCIgAAAAAA4qTQaC46/Ua4KXgP /ixNcRvjVAAAAAAAWowbgYD1akibZ+sCul5C4ZxlLQAAAAAAxSO4iapVmEGQ6R23bgLQi4REoQAAA AAAogC6jFcyFUmhBp4B7FkaBRklnQEAAAAAyhKMxsP0uUKGEnG2lsyA8eTUwgYAAAAA4n8Xx1bAlU mBUl3zhlZ9WBngDAAAAAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAAAAAGfO+4ndZCkaVKnwZNlNsf90 NDAAAAAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAAAAAA oneWaySync: fromWindows nsds50ruv: {replicageneration} 553fe9bb000000040000 nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9 000000040000 5575df31000000040000 nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c 4000000030000 557244db001700030000 nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne t:389} 5575de97 nsruvReplicaLastModified: {replica 3 ldap://dc1.ipadomain.n et:389} 00000000 nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20150608182928Z nsds5replicaLastUpdateEnd: 20150608182928Z nsds5replicaChangesSentSinceStartup:: NDoyOC8wIA== nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0
Hmm, making it a one way only agreement invalidates the lastinitstart value...
I have also tried removing the onewaysync setting and restarting the services, but it stays broken.
The error in /var/log/dirsrv/slapd-DOMAIN just repeats the following entry indefinitely:
[04/Jun/2015:03:05:33 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meTodc2.adomain.net" (dc2:389): Replica has no update vector. It has never been initialized.
The only way to fix this is to re-initialize the agreement
[root ~]# ipa-replica-manage re-initialize --from dc1.addomain.net
Fixed formatting.
Thread with more details and investigation by Rich: https://www.redhat.com/archives/freeipa-users/2015-June/msg00147.html
There may be other conditions in which this happens. I noticed that today on the same server, the agreement had become uninitialized again, After approximately 27 days with no changes.
This caused the directory server to crash and stop accepting logins in the web ui.
Forum report here : https://www.redhat.com/archives/freeipa-users/2015-July/msg00190.html
Directory server error logs (note that they are completely empty until July 2):
389-Directory/1.3.3.8 B2015.040.128 dc1.ipadomain.net:636 (/etc/dirsrv/slapd-IPADOMAIN-NET) [02/Jul/2015:03:19:02 +0000] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [02/Jul/2015:06:10:29 +0000] - Entry "uid=jenkinsdev,cn=users,cn=accounts,dc=ipadomain,dc=net" missing attribute "sn" required by object class "person" [03/Jul/2015:02:04:02 +0000] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [03/Jul/2015:05:39:01 +0000] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [03/Jul/2015:17:09:00 +0000] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [03/Jul/2015:22:41:32 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'IPADOMAIN.NET')) errno 115 (Operation now in progress) [03/Jul/2015:22:41:32 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [03/Jul/2015:22:41:32 +0000] NSMMReplicationPlugin - agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'IPADOMAIN.NET')) [03/Jul/2015:22:41:36 +0000] NSMMReplicationPlugin - agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI auth resumed [05/Jul/2015:19:24:00 +0000] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [06/Jul/2015:02:46:50 +0000] - Entry "uid=accounting,cn=users,cn=accounts,dc=ipadomain,dc=net" missing attribute "sn" required by object class "person" [06/Jul/2015:17:47:04 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [06/Jul/2015:17:47:04 +0000] NSMMReplicationPlugin - windows sync - agmt="cn=meToofficedc2.office.addomain.net" (officedc2:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [06/Jul/2015:17:47:07 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [06/Jul/2015:17:47:13 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [06/Jul/2015:17:47:25 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success)
... repeats for 7 days ...
[13/Jul/2015:21:49:21 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) [13/Jul/2015:21:49:45 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) [13/Jul/2015:21:50:33 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) [13/Jul/2015:21:52:09 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) [13/Jul/2015:21:54:00 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) [13/Jul/2015:23:04:05 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/dc1.ipadomain.net@IPADOMAIN.NET] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [13/Jul/2015:23:04:05 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [13/Jul/2015:23:04:10 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/dc1.ipadomain.net@IPADOMAIN.NET] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [13/Jul/2015:23:04:10 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [13/Jul/2015:23:04:10 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [13/Jul/2015:23:04:10 +0000] NSMMReplicationPlugin - agmt="cn=meTodc2.ipadomain.net" (dc2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
oneWaySync is documented and supported feature: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/managing-sync-agmt.html#unidirectional-sync
and it seems to work, even in the ticket here is a workaround by reinitializing the consumer. What fails is to convert a bidirectinal agreement into a oneway agreement. This never worked, changing to RFE.
The bug does not have a priority, community contribution is welcome.
Can you please elaborate on that last comment?
From the page you linked: "By default, all modifications and deletions are bi-directional"
Then it gives you a way to change it to uni-directional, which means changing the existing agreement:
[jsmith@ipaserver ~]$ ldapmodify -x -D "cn=directory manager" -w password -p 389 -h ipaserver.example.com
dn: cn=windows.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify add: oneWaySync oneWaySync: fromWindows
They NEVER tell you how to setup one way from the start...
So how exactly is this a feature request, and not a bug?
Following the manual you can: 1. Create a bi-directional agreement 2. change it to a one way agreement
According to the manual, those are not only valid actions, but they are the only legitimate way to create a one way agreement.
ipa-replica-manage does not support adding of one way sync nor changing bi-directional to one-way sync. It never did. Therefore adding this support is an RFE. The fact that it can be done manually in directory server doesn't change it.
But the fact that it needs reinitialization might be a bug in documentation or directory server. Ludwig is it the case?
Ok, so why does the manual tell you how to change it to a one way sync then?
If this operation is not supported, why would it be in an official manual listed like it is a totally valid thing to do ?
Replying to [comment:7 nathanpeters]:
Ok, so why does the manual tell you how to change it to a one way sync then? you are probably referring to 7.5.5 of the Windows Integration Guide, and there in fact it looks like it could be done any time.
you are probably referring to 7.5.5 of the Windows Integration Guide, and there in fact it looks like it could be done any time.
But in the 389-DS admin guide the same ldapmodify is in the context of setting up a winsync agreement, it refers to step 7: create the sync agreement and says this has to be done because the console does not offer the option to have a onewaysync. In step 8 then there is the initialization step.
So, I think, it was never designed and tested to be transformed at any time, but the documentaion is not clear about this
Metadata Update from @nathanpeters: - Issue assigned to someone - Issue set to the milestone: Future Releases
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.