10:42 a.m.
It is difficult to know when a full resynchronization is necessary for a
given Windows Sync agreement. I would like to be able to start a full resync
from a cron script. Is this possible, or is there any other way to schedule
a full resync to run periodically without human intervention?
We are using Fedora Directory 1.04 on Red Hat EL4, synchronizing with Active
Directory running on Windows 2003 Server. Thanks. -G.
8:01 a.m.
Glenn wrote:
It is difficult to know when a full resynchronization is necessary
for a
given Windows Sync agreement.
Why do you want to perform a full sync ? Typically
that would only be
done if
a) the servers had been out of contact for a long time or b) when
bringing up a new
server or c) if the software is broken.
I would like to be able to start a full resync
from a cron script. Is this possible, or is there any other way to schedule
a full resync to run periodically without human intervention?
You can do this. The console initiates sync by writing to an LDAP entry
in the server's
agreement tree. I'm not sure if this is documented so you might need to
snoop the traffic
from a manual operation and then write a script to generate the same result.
9:22 a.m.
David - At least once a week on our 8,000-user systems, synchronization
breaks. Usually it is because the Passsync service on the AD server stops
running. Other times, Passync is running, but passwords do not sync.
Sometimes passwords sync only one way. Sometimes password sync works when we
change the user's password on the domain controller, but it does not work
when we change the user's password on the user's Windows XP computer.
Sometimes password sync breaks and other attributes continue to synchronize.
Often while this is going on, new accounts are not replicated from one system
to the other. An aggravating factor seems to be accounts that have
attributes allowed in Fedora Directory but not allowed in Active Directory,
such as duplicate names or user IDs.
The remedy for these problems seems to be to stop and restart Passsync and do
a full resync from the Fedora Directory Server console. Duplicate entries
must be changed so they are acceptable to AD, and a resync is necessary to
get them to replicate.
Thanks for the suggestion on creating the resync script. -G.
---------- Original Message -----------
From: David Boreham <david_list(a)boreham.org>
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users(a)redhat.com>
Sent: Wed, 02 Jul 2008 07:01:21 -0600
Subject: Re: [Fedora-directory-users] Scheduled Resync with Windows Sync?
Glenn wrote:
> It is difficult to know when a full resynchronization is necessary for a
> given Windows Sync agreement.
Why do you want to perform a full sync ? Typically that would only
be done if a) the servers had been out of contact for a long time or
b) when bringing up a new server or c) if the software is broken.
> I would like to be able to start a full resync
> from a cron script. Is this possible, or is there any other way to
schedule
> a full resync to run periodically without human intervention?
>
You can do this. The console initiates sync by writing to an LDAP
entry in the server's agreement tree. I'm not sure if this is
documented so you might need to snoop the traffic from a manual
operation and then write a script to generate the same result.
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------- End of
Original Message -------
9:29 a.m.
Glenn wrote:
David - At least once a week on our 8,000-user systems,
synchronization
breaks. Usually it is because the Passsync service on the AD server stops
running. Other times, Passync is running, but passwords do not sync.
Sometimes passwords sync only one way. Sometimes password sync works when we
change the user's password on the domain controller, but it does not work
when we change the user's password on the user's Windows XP computer.
You do know that the passsync service is completely autonomous from the
FDS server-side sync functionality ?
Initiating a re-sync on FDS should have no affect on passsync, since
they are separate.
Sometimes password sync breaks and other attributes continue to
synchronize.
This would make perfect sense, since the two are implemented in
different software, running on different machines.
Often while this is going on, new accounts are not replicated from
one system
to the other. An aggravating factor seems to be accounts that have
attributes allowed in Fedora Directory but not allowed in Active Directory,
such as duplicate names or user IDs.
Hmm...the FDS windows sync code is supposed to strip off illegal schema
to prevent this problem,
but perhaps it isn't working properly in your case.
The remedy for these problems seems to be to stop and restart
Passsync and do
a full resync from the Fedora Directory Server console. Duplicate entries
must be changed so they are acceptable to AD, and a resync is necessary to
get them to replicate.
If you're running an 8k user site with this code you might think about
investing some money
in having someone fix it. It sounds like you have hit one or more quite
serious bugs that would
probably not take too long to diagnose and fix.
9:49 a.m.
New subject: [Fedora-directory-users] Linux (RH and FC) & Solaris 8 / 10 group/netgroup and passwd Advice Desperately Needed [OT?]
Hello All;
My network, which once consisted of mostly Solaris 2.8 and Linux (Fedora Core and ReHat),
now consists of mostly Windows 2k3 servers and XP boxes, with a still a large amount of
Linux and Solaris Servers, is becoming a nightmare to administer and I am desperately
seeking some advice.
I would like to simplify all account information on my Solaris 2.8, Solaris 10 and Linux
servers/workstations to lookup and authenticate user account info, as well as what is now
in NIS netgroup and group, against one of my many AD servers.
Would FCS help me at all? Or would it further complicate my already complicated
environment?
Could someone point me in the right direction for how to get my *nix boxes to perform what
I am looking for them to do?
I've found a few articles for Solaris 10, but very little information for Solaris 8.
Also, not sure if I need some additional PAM modules and or entries, especially for
Solaris 8 which I am clueless for.
While I realize that this question might be off-topic, I have nowhere else to look, I
therefore apologize in advance if this posting has offended anyone.
Thank you,
.vp
5766
days inactive
5779
days old
389-users@lists.fedoraproject.org
4 comments
3 participants
participants (3)
-
David Boreham -
Glenn -
Vadim Pushkin