Hi,
I'm trying to get Windows AD sync working. When trying to start full re-syncronization, I get the errors listed below. I've tried to verify all settings, but haven't figured out what could cause this. It seems to use value (null) with DN, but why?
Other information: 389 => 1.2.11.25 (dc=example,dc=com) AD => Windows 2012 R2 (dc=example,dc=login) ==> notice, domain names are different!
Windows sync agreement details Windows domain: example.login DS subtree: ou=People,dc=example,dc=com Windows subtree: cn=People,dc=example,dc=login Replicated subtree: dc=example,dc=com
My goal is to sync 389 users to one OU/CN under AD and groups to different OU/CN. I'm not sure if this even possible, but was hoping to achieve this by creating separate sync agreements for users and groups.
PS. thanks for excellent software and support!
-Vesa
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): map_entry_dn_inbound: problem looking for username: -1
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): windows_process_total_entry: Looking dn="uid=user1,ou=People,dc=example,dc=com" (ours)
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=user1,ou=People,dc=example,dc=com" guid="c647c882ee76ab4aac2239ef81ebebb7"
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=user1,ou=People,dc=example,dc=com" username="user1"
[12/Mar/2014:10:23:56 +0200] - Calling windows entry search request plugin
[12/Mar/2014:10:23:56 +0200] - windows_search_entry: received 1 messages, 0 entries, 0 references
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): map_entry_dn_outbound: entry not found - rc 0
[12/Mar/2014:10:23:56 +0200] - Windows sync entry: Created new remote entry: dn:: Y249VHVvbWFzIFN5cmrDpG5lbiwobnVsbCk= objectClass: top objectClass: person objectClass: organizationalperson objectClass: user userprincipalname: user1@example.login cn:: VHVvbWFzIFN5cmrDpG5lbg== givenName: First mail: First.Last@example.com sAMAccountName: user1 accountExpires: 9223372036854775807 sn:: U3lyasOkbmVu telephoneNumber: codePage: 0
[12/Mar/2014:10:23:56 +0200] - Attempting to add entry cn=First Last,(null) to AD for local entry uid=user1,ou=People,dc=example,dc=com
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): Received result code 34 (0000208F: NameErr: DSID-03100225, problem 2006 (BAD_NAME), data 8350, best match of: '(null)' ) for add operation
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): windows_replay_update: Cannot replay add operation.
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): Beginning linger on the connection
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): windows_tot_run: failed to obtain data to send to the consumer; LDAP error - 1
Hi,
Would anyone have tips how to debug this futher? I tried with older AD 2008 R2 and with identical domain name. Also with various OU and CN combinations. Even with using admin accounts at both ends. But it still gives the same error code:
Attempting to add entry cn=First Last,(null) to AD for local entry uid=user1,ou=People,dc=example,dc=com
NSMMReplicationPlugin - agmt="cn=adsync" Received result code 34 (0000208F: NameErr: DSID-03100225, problem 2006 (BAD_NAME), data 8350, best match of: '(null)' ) for add operation
It must be something simple I'm missing here...
-Vesa
On 12/03/14 10:55, Vesa Alho wrote:
Hi,
I'm trying to get Windows AD sync working. When trying to start full re-syncronization, I get the errors listed below. I've tried to verify all settings, but haven't figured out what could cause this. It seems to use value (null) with DN, but why?
Other information: 389 => 1.2.11.25 (dc=example,dc=com) AD => Windows 2012 R2 (dc=example,dc=login) ==> notice, domain names are different!
Windows sync agreement details Windows domain: example.login DS subtree: ou=People,dc=example,dc=com Windows subtree: cn=People,dc=example,dc=login Replicated subtree: dc=example,dc=com
My goal is to sync 389 users to one OU/CN under AD and groups to different OU/CN. I'm not sure if this even possible, but was hoping to achieve this by creating separate sync agreements for users and groups.
PS. thanks for excellent software and support!
-Vesa
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): map_entry_dn_inbound: problem looking for username: -1
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): windows_process_total_entry: Looking dn="uid=user1,ou=People,dc=example,dc=com" (ours)
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=user1,ou=People,dc=example,dc=com" guid="c647c882ee76ab4aac2239ef81ebebb7"
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=user1,ou=People,dc=example,dc=com" username="user1"
[12/Mar/2014:10:23:56 +0200] - Calling windows entry search request plugin
[12/Mar/2014:10:23:56 +0200] - windows_search_entry: received 1 messages, 0 entries, 0 references
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): map_entry_dn_outbound: entry not found - rc 0
[12/Mar/2014:10:23:56 +0200] - Windows sync entry: Created new remote entry: dn:: Y249VHVvbWFzIFN5cmrDpG5lbiwobnVsbCk= objectClass: top objectClass: person objectClass: organizationalperson objectClass: user userprincipalname: user1@example.login cn:: VHVvbWFzIFN5cmrDpG5lbg== givenName: First mail: First.Last@example.com sAMAccountName: user1 accountExpires: 9223372036854775807 sn:: U3lyasOkbmVu telephoneNumber: codePage: 0
[12/Mar/2014:10:23:56 +0200] - Attempting to add entry cn=First Last,(null) to AD for local entry uid=user1,ou=People,dc=example,dc=com
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): Received result code 34 (0000208F: NameErr: DSID-03100225, problem 2006 (BAD_NAME), data 8350, best match of: '(null)' ) for add operation
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): windows_replay_update: Cannot replay add operation.
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): Beginning linger on the connection
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): windows_tot_run: failed to obtain data to send to the consumer; LDAP error - 1
Okay, some progress.
I created an empty ou= to 389. Then I made a sync agreement with AD cn=Users,dc=example,dc=com. After this first full resync went successfully and I got users and groups from AD.
But if I try to add a user or group to 389, I get same errors as earlier. Even if I create an identical user to one coming from AD successfully, error remains.
Test user entry described below.
dn: uid=tpekka,ou=TestGroup,dc=example,dc=com changetype: add ntUserLastLogon: 0 ntUserLastLogoff: 0 objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetOrgPerson objectClass: ntUser ntUserDeleteAccount: true uid: tpekka sn: Pekka givenName: Testi cn: Testi Pekka ntUserCodePage: 0 ntUserAcctExpires: 9223372036854775807 ntUserDomainId: tpekka ntUniqueId: 2543adbab8c5be4b82b4f927910eb48c
I guess I will need to test with a newer 389 version next if it's a bug or something.
-Vesa
On 03/17/2014 09:24 AM, Vesa Alho wrote:
Hi,
Would anyone have tips how to debug this futher? I tried with older AD 2008 R2 and with identical domain name. Also with various OU and CN combinations. Even with using admin accounts at both ends. But it still gives the same error code:
Attempting to add entry cn=First Last,(null) to AD for local entry uid=user1,ou=People,dc=example,dc=com
NSMMReplicationPlugin - agmt="cn=adsync" Received result code 34 (0000208F: NameErr: DSID-03100225, problem 2006 (BAD_NAME), data 8350, best match of: '(null)' ) for add operation
It must be something simple I'm missing here...
-Vesa
On 12/03/14 10:55, Vesa Alho wrote:
Hi,
I'm trying to get Windows AD sync working. When trying to start full re-syncronization, I get the errors listed below. I've tried to verify all settings, but haven't figured out what could cause this. It seems to use value (null) with DN, but why?
Other information: 389 => 1.2.11.25 (dc=example,dc=com) AD => Windows 2012 R2 (dc=example,dc=login) ==> notice, domain names are different!
Windows sync agreement details Windows domain: example.login DS subtree: ou=People,dc=example,dc=com Windows subtree: cn=People,dc=example,dc=login Replicated subtree: dc=example,dc=com
My goal is to sync 389 users to one OU/CN under AD and groups to different OU/CN. I'm not sure if this even possible, but was hoping to achieve this by creating separate sync agreements for users and groups.
PS. thanks for excellent software and support!
-Vesa
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): map_entry_dn_inbound: problem looking for username: -1
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): windows_process_total_entry: Looking dn="uid=user1,ou=People,dc=example,dc=com" (ours)
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=user1,ou=People,dc=example,dc=com" guid="c647c882ee76ab4aac2239ef81ebebb7"
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=user1,ou=People,dc=example,dc=com" username="user1"
[12/Mar/2014:10:23:56 +0200] - Calling windows entry search request plugin
[12/Mar/2014:10:23:56 +0200] - windows_search_entry: received 1 messages, 0 entries, 0 references
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): map_entry_dn_outbound: entry not found - rc 0
[12/Mar/2014:10:23:56 +0200] - Windows sync entry: Created new remote entry: dn:: Y249VHVvbWFzIFN5cmrDpG5lbiwobnVsbCk= objectClass: top objectClass: person objectClass: organizationalperson objectClass: user userprincipalname: user1@example.login cn:: VHVvbWFzIFN5cmrDpG5lbg== givenName: First mail: First.Last@example.com sAMAccountName: user1 accountExpires: 9223372036854775807 sn:: U3lyasOkbmVu telephoneNumber: codePage: 0
[12/Mar/2014:10:23:56 +0200] - Attempting to add entry cn=First Last,(null) to AD for local entry uid=user1,ou=People,dc=example,dc=com
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): Received result code 34 (0000208F: NameErr: DSID-03100225, problem 2006 (BAD_NAME), data 8350, best match of: '(null)' ) for add operation
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): windows_replay_update: Cannot replay add operation.
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): Beginning linger on the connection
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): windows_tot_run: failed to obtain data to send to the consumer; LDAP error - 1
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 03/12/2014 02:55 AM, Vesa Alho wrote:
Hi,
I'm trying to get Windows AD sync working. When trying to start full re-syncronization, I get the errors listed below. I've tried to verify all settings, but haven't figured out what could cause this. It seems to use value (null) with DN, but why?
Other information: 389 => 1.2.11.25 (dc=example,dc=com) AD => Windows 2012 R2 (dc=example,dc=login) ==> notice, domain names are different!
Windows sync agreement details Windows domain: example.login DS subtree: ou=People,dc=example,dc=com Windows subtree: cn=People,dc=example,dc=login Replicated subtree: dc=example,dc=com
My goal is to sync 389 users to one OU/CN under AD and groups to different OU/CN. I'm not sure if this even possible, but was hoping to achieve this by creating separate sync agreements for users and groups.
PS. thanks for excellent software and support!
-Vesa
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): map_entry_dn_inbound: problem looking for username: -1
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): windows_process_total_entry: Looking dn="uid=user1,ou=People,dc=example,dc=com" (ours)
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=user1,ou=People,dc=example,dc=com" guid="c647c882ee76ab4aac2239ef81ebebb7"
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=user1,ou=People,dc=example,dc=com" username="user1"
[12/Mar/2014:10:23:56 +0200] - Calling windows entry search request plugin
[12/Mar/2014:10:23:56 +0200] - windows_search_entry: received 1 messages, 0 entries, 0 references
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): map_entry_dn_outbound: entry not found - rc 0
[12/Mar/2014:10:23:56 +0200] - Windows sync entry: Created new remote entry: dn:: Y249VHVvbWFzIFN5cmrDpG5lbiwobnVsbCk= objectClass: top objectClass: person objectClass: organizationalperson objectClass: user userprincipalname: user1@example.login cn:: VHVvbWFzIFN5cmrDpG5lbg== givenName: First mail: First.Last@example.com sAMAccountName: user1 accountExpires: 9223372036854775807 sn:: U3lyasOkbmVu telephoneNumber: codePage: 0
[12/Mar/2014:10:23:56 +0200] - Attempting to add entry cn=First Last,(null) to AD for local entry uid=user1,ou=People,dc=example,dc=com
[12/Mar/2014:10:23:56 +0200] NSMMReplicationPlugin - agmt="cn=adsync" (hki-dc01:636): Received result code 34 (0000208F: NameErr: DSID-03100225, problem 2006 (BAD_NAME), data 8350, best match of: '(null)' ) for add operation
Ever figure this out? We're seeing the same problem here. It was working for a while for us and then broke at some point. Looks like the target ou is getting replaced by null at some point.
- Orion
Ever figure this out? We're seeing the same problem here. It was working for a while for us and then broke at some point. Looks like the target ou is getting replaced by null at some point.
I installed additional multi-master to our setup with the latest stable 1.3.x version (running Fedora 20). This helped so I suspect it's a bug with 1.2.25.11 available in EPEL6 stable. At least our data is identical.
-Vesa
On 03/04/14 08:22, Vesa Alho wrote:
Ever figure this out? We're seeing the same problem here. It was working for a while for us and then broke at some point. Looks like the target ou is getting replaced by null at some point.
I installed additional multi-master to our setup with the latest stable 1.3.x version (running Fedora 20). This helped so I suspect it's a bug with 1.2.25.11 available in EPEL6 stable. At least our data is identical.
Actually just noticed this: http://directory.fedoraproject.org/wiki/Download#RHEL6.2FEPEL6 ==> wget http://copr.fedoraproject.org/coprs/nhosoi/389-ds-base-epel6/repo/epel-6-i38... -O epel-389-ds-base.repo
Repo seems to provide version 1.2.11.28 (has not been in download instructions for too long) (http://directory.fedoraproject.org/wiki/Releases/1.2.11.28) ==> has some changes in Windows sync, have not tested if helps
-Vesa
On 04/03/2014 01:09 AM, Vesa Alho wrote:
On 03/04/14 08:22, Vesa Alho wrote:
Ever figure this out? We're seeing the same problem here. It was working for a while for us and then broke at some point. Looks like the target ou is getting replaced by null at some point.
I installed additional multi-master to our setup with the latest stable 1.3.x version (running Fedora 20). This helped so I suspect it's a bug with 1.2.25.11 available in EPEL6 stable. At least our data is identical.
Actually just noticed this: http://directory.fedoraproject.org/wiki/Download#RHEL6.2FEPEL6 ==> wget http://copr.fedoraproject.org/coprs/nhosoi/389-ds-base-epel6/repo/epel-6-i38... -O epel-389-ds-base.repo
Repo seems to provide version 1.2.11.28 (has not been in download instructions for too long) (http://directory.fedoraproject.org/wiki/Releases/1.2.11.28) ==> has some changes in Windows sync, have not tested if helps
1.2.11.28 doesn't work either :(. Filed https://bugzilla.redhat.com/show_bug.cgi?id=1084166
Glad to know it is at least fixed in 1.3, though I don't think we can move to that soon.
389-users@lists.fedoraproject.org
-
Orion Poplawski -
Vesa Alho