Zdenek Sobotka via FreeIPA-users wrote:
> Hello,
> I would need advice on setting up account synchronization between
> Windows10 testing instance with AD and FREEIPA.
> I successfully imported CA certificates for trust between AD and
> FREEIPA, ran ldapsearch, which I can use to read information from
> Windows AD.
> Now I want to synchronize data accounts from AD to FREEIPA, using
> "ipa-replica-manage connect --winsync".
> In debug mode, I see that the synchronization is established, and also
> there is an attempt with data replication.
> Finally in the end, is written that the replica update "passed
> successfully". But no AD data was added, when I looked into FREEIPA.
>
> Here is the log:
>
> ```
> [root@freeipa ~]# ipa-replica-manage connect -d --verbose --winsync
> --no-lookup --binddn="cn=Administrator,cn=Users,dc=ngov,dc=local"
> --bindpw="H3sl0123456." --cacert=/etc/ipa/ca.crt
> --passsync="TESTTEST111" WIN-7G3BH6KDDHU.ngov.local
>
> Directory Manager password:
>
> ipa: DEBUG: Created connection context.ldap2_140493289808392
> ipa: DEBUG: Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> ipa: DEBUG: Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> ipa: DEBUG: Destroyed connection context.ldap2_140493289808392
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args=['/bin/systemctl', 'stop', 'dirsrv@TEST-LOCAL.service']
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Stop of dirsrv@TEST-LOCAL.service complete
> ipa: DEBUG: Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args=['/usr/bin/certutil', '-d',
> 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n', 'CN=Certificate
> Authority,O=TEST.LOCAL', '-t', 'C,,', '-a', '-f',
> '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt']
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args=['/usr/bin/certutil', '-d',
> 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n',
> 'CN=WIN-7G3BH6KDDHU.ngov.local', '-t', 'C,,', '-a', '-f',
> '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt']
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args=['/usr/bin/certutil', '-d',
> 'sql:/etc/dirsrv/slapd-TEST-LOCAL/', '-A', '-n',
> 'CN=ngov-WIN-7G3BH6KDDHU-CA,DC=ngov,DC=local', '-t', 'C,,', '-a', '-f',
> '/etc/dirsrv/slapd-TEST-LOCAL/pwdfile.txt']
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args=['/bin/systemctl', 'start', 'dirsrv@TEST-LOCAL.service']
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args=['/bin/systemctl', 'is-active',
> 'dirsrv@TEST-LOCAL.service']
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=active
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: wait_for_open_ports: localhost [389] timeout 120
> ipa: DEBUG: waiting for port: 389
> ipa: DEBUG: SUCCESS: port: 389
> ipa: DEBUG: Start of dirsrv@TEST-LOCAL.service complete
> ipa: DEBUG: Created connection context.ldap2_140493289808392
> Added CA certificate /etc/ipa/ca.crt to certificate database for
> freeipa.TEST.local
> ipa: INFO: AD Suffix is: DC=ngov,DC=local
> ipa: DEBUG: retrieving schema for SchemaCache
> url=ldaps://freeipa.TEST.local:636
> conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fc7249c2c88>
> ipa: DEBUG: Add or update replica config
> cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping tree,cn=config
> ipa: DEBUG: No update to cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping
> tree,cn=config necessary
> The user for the Windows PassSync service is
> uid=passsync,cn=sysaccounts,cn=etc,dc=TEST,dc=local
> Windows PassSync system account exists, not resetting password
> ipa: DEBUG: Plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config' already
> 'uid=passsync,cn=sysaccounts,cn=etc,dc=TEST,dc=local' in passSyncManagersDNs
> ipa: DEBUG: Waiting up to 300 seconds for replication
> (ldaps://freeipa.TEST.local:636)
> cn=meToWIN-7G3BH6KDDHU.ngov.local,cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping
> tree,cn=config (objectclass=*)
> ipa: DEBUG: Entry found
> [LDAPEntry(ipapython.dn.DN('cn=meToWIN-7G3BH6KDDHU.ngov.local,cn=replica,cn=dc\=TEST\,dc\=local,cn=mapping
> tree,cn=config'), {'objectClass': [b'nsDSWindowsReplicationAgreement',
> b'top'], 'cn': [b'meToWIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicaHost':
> [b'WIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicaPort': [b'389'],
> 'nsds5replicaTimeout': [b'120'], 'nsDS5ReplicaRoot':
> [b'dc=TEST,dc=local'], 'description': [b'me to
> WIN-7G3BH6KDDHU.ngov.local'], 'nsDS5ReplicatedAttributeList':
> [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn
> krblastsuccessfulauth krblastfailedauth krbloginfailedcount'],
> 'nsDS5ReplicaBindDN': [b'cn=Administrator,cn=Users,dc=ngov,dc=local'],
> 'nsDS5ReplicaTransportInfo': [b'TLS'], 'nsDS5ReplicaBindMethod':
> [b'simple'], 'nsds7WindowsReplicaSubtree':
> [b'cn=Users,DC=ngov,DC=local'], 'nsds7DirectoryReplicaSubtree':
> [b'cn=users,cn=accounts,dc=TEST,dc=local'],
> 'nsds7NewWinUserSyncEnabled': [b'true'], 'nsds7NewWinGroupSyncEnabled':
> [b'false'], 'nsds7WindowsDomain': [b'TEST.local'],
> 'nsDS5ReplicaCredentials':
> [b'{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUTVaRGxoTVRJNFpDMHhOVGt6TTJZNQ0KTmkwNU9HTTBNR0ZtTXkxaE56TTJaakUwTWdBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCRGJXVlFqdEZEY3k1RjFYTEMwT1V2TA==}gjvpjBG5R/xt7jkO7XzRPg=='],
> 'nsds5replicareapactive': [b'0'], 'nsds5replicaLastUpdateStart':
> [b'19700101000000Z'], 'nsds5replicaLastUpdateEnd': [b'19700101000000Z'],
> 'nsds5replicaChangesSentSinceStartup': [b''],
> 'nsds5replicaLastUpdateStatus': [b'Error (0) No replication sessions
> started since server startup'], 'nsds5replicaLastUpdateStatusJSON':
> [b'{"state": "green", "ldap_rc": "0", "ldap_rc_text": "success",
> "repl_rc": "0", "repl_rc_text": "replica acquired", "date":
> "2021-10-20T10:36:28Z", "message": "Error (0) No replication sessions
> started since server startup"}'], 'nsds5replicaUpdateInProgress':
> [b'FALSE'], 'nsds5replicaLastInitStart': [b'19700101000000Z'],
> 'nsds5replicaLastInitEnd': [b'19700101000000Z']})]
> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
> ipa: INFO: Replication Update in progress: FALSE: status: Error (0)
> Replica acquired successfully: Incremental update started: start:
> 20211020103628: end: 20211020103628
> ipa: INFO: Agreement is ready, starting replication . . .
> ipa: WARNING: This configuration ("--winsync") may imply that the log
> file contains clear text passwords.
> Please ensure that these files can be accessed only by trusted accounts.
> Log files are under /var/lib/dirsrv/slapd-TEST-LOCAL/cldb
> Starting replication, please wait until this has completed.
>
> Update succeeded
>
> Connected 'freeipa.TEST.local' to 'WIN-7G3BH6KDDHU.ngov.local'
> ipa: DEBUG: Destroyed connection context.ldap2_140493289808392
> [root@freeipa ~]#
> ```
>
> I will be happy for any helpful advice. Thanks.

I'd suggest enabling replication debugging to see what is going on:
https://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting

rob