It is difficult to know when a full resynchronization is necessary for a given Windows Sync agreement. I would like to be able to start a full resync from a cron script. Is this possible, or is there any other way to schedule a full resync to run periodically without human intervention?
We are using Fedora Directory 1.04 on Red Hat EL4, synchronizing with Active Directory running on Windows 2003 Server. Thanks. -G.
Glenn wrote:
It is difficult to know when a full resynchronization is necessary for a given Windows Sync agreement.
Why do you want to perform a full sync ? Typically that would only be done if a) the servers had been out of contact for a long time or b) when bringing up a new server or c) if the software is broken.
I would like to be able to start a full resync from a cron script. Is this possible, or is there any other way to schedule a full resync to run periodically without human intervention?
You can do this. The console initiates sync by writing to an LDAP entry in the server's agreement tree. I'm not sure if this is documented so you might need to snoop the traffic from a manual operation and then write a script to generate the same result.
David - At least once a week on our 8,000-user systems, synchronization breaks. Usually it is because the Passsync service on the AD server stops running. Other times, Passync is running, but passwords do not sync. Sometimes passwords sync only one way. Sometimes password sync works when we change the user's password on the domain controller, but it does not work when we change the user's password on the user's Windows XP computer.
Sometimes password sync breaks and other attributes continue to synchronize. Often while this is going on, new accounts are not replicated from one system to the other. An aggravating factor seems to be accounts that have attributes allowed in Fedora Directory but not allowed in Active Directory, such as duplicate names or user IDs.
The remedy for these problems seems to be to stop and restart Passsync and do a full resync from the Fedora Directory Server console. Duplicate entries must be changed so they are acceptable to AD, and a resync is necessary to get them to replicate.
Thanks for the suggestion on creating the resync script. -G.
---------- Original Message ----------- From: David Boreham david_list@boreham.org To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Sent: Wed, 02 Jul 2008 07:01:21 -0600 Subject: Re: [Fedora-directory-users] Scheduled Resync with Windows Sync?
Glenn wrote:
It is difficult to know when a full resynchronization is necessary for a given Windows Sync agreement.
Why do you want to perform a full sync ? Typically that would only be done if a) the servers had been out of contact for a long time or b) when bringing up a new server or c) if the software is broken.
I would like to be able to start a full resync from a cron script. Is this possible, or is there any other way to
schedule
a full resync to run periodically without human intervention?
You can do this. The console initiates sync by writing to an LDAP entry in the server's agreement tree. I'm not sure if this is documented so you might need to snoop the traffic from a manual operation and then write a script to generate the same result.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
------- End of Original Message -------
Glenn wrote:
David - At least once a week on our 8,000-user systems, synchronization breaks. Usually it is because the Passsync service on the AD server stops running. Other times, Passync is running, but passwords do not sync. Sometimes passwords sync only one way. Sometimes password sync works when we change the user's password on the domain controller, but it does not work when we change the user's password on the user's Windows XP computer.
You do know that the passsync service is completely autonomous from the FDS server-side sync functionality ? Initiating a re-sync on FDS should have no affect on passsync, since they are separate.
Sometimes password sync breaks and other attributes continue to synchronize.
This would make perfect sense, since the two are implemented in different software, running on different machines.
Often while this is going on, new accounts are not replicated from one system to the other. An aggravating factor seems to be accounts that have attributes allowed in Fedora Directory but not allowed in Active Directory, such as duplicate names or user IDs.
Hmm...the FDS windows sync code is supposed to strip off illegal schema to prevent this problem, but perhaps it isn't working properly in your case.
The remedy for these problems seems to be to stop and restart Passsync and do a full resync from the Fedora Directory Server console. Duplicate entries must be changed so they are acceptable to AD, and a resync is necessary to get them to replicate.
If you're running an 8k user site with this code you might think about investing some money in having someone fix it. It sounds like you have hit one or more quite serious bugs that would probably not take too long to diagnose and fix.
Hello All;
My network, which once consisted of mostly Solaris 2.8 and Linux (Fedora Core and ReHat), now consists of mostly Windows 2k3 servers and XP boxes, with a still a large amount of Linux and Solaris Servers, is becoming a nightmare to administer and I am desperately seeking some advice.
I would like to simplify all account information on my Solaris 2.8, Solaris 10 and Linux servers/workstations to lookup and authenticate user account info, as well as what is now in NIS netgroup and group, against one of my many AD servers.
Would FCS help me at all? Or would it further complicate my already complicated environment?
Could someone point me in the right direction for how to get my *nix boxes to perform what I am looking for them to do?
I've found a few articles for Solaris 10, but very little information for Solaris 8. Also, not sure if I need some additional PAM modules and or entries, especially for Solaris 8 which I am clueless for.
While I realize that this question might be off-topic, I have nowhere else to look, I therefore apologize in advance if this posting has offended anyone.
Thank you,
.vp
389-users@lists.fedoraproject.org
-
David Boreham -
Glenn -
Vadim Pushkin