10:29 a.m.
Hello,
I do have a running `winsync` setup, which is working for most users. The only thing that
is missing are
* the groups: I've tried to activate the group sync using ldapmodify (setting
`nsds7NewWinGroupSyncEnabled: true`), but the attribute apparently is set to `false`
automatically and I cannot find logs that indicate problems.
* every administrative users: It seems that every user with `adminCount: 1` on AD is not
sync to FreeIPA, but I cannot find any reason for that nor is anything mentioned in the
logs regarding those users.
Do you have an idea what's wrong with my configuration or how to get logs that could
indicate the problem?
Best regards,
Theodor van Nahl
3:13 p.m.
Theodor van Nahl via FreeIPA-users wrote:
Hello,
I do have a running `winsync` setup, which is working for most users. The only thing that
is missing are
* the groups: I've tried to activate the group sync using ldapmodify (setting
`nsds7NewWinGroupSyncEnabled: true`), but the attribute apparently is set to `false`
automatically and I cannot find logs that indicate problems.
How are you trying to set this? I don't know of any active measures to
ensure this is disabled. Be aware that group sync hasn't been tested in
IPA for many years now, probably close to a decade. It may well work
fine but I'd test in a separate environment to be sure first.
* every administrative users: It seems that every user with
`adminCount: 1` on AD is not sync to FreeIPA, but I cannot find any reason for that nor is
anything mentioned in the logs regarding those users.
I can't find this attribute mentioned in either 389-ds or IPA so its
possible the users are being filtered for some other reason. If you flip
this to 0 are you saying they would be synced?
rob
Do you have an idea what's wrong with my configuration or how to get logs that could
indicate the problem?
Best regards,
Theodor van Nahl
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
3:35 a.m.
How are you trying to set this? I don't know of any active
measures to
ensure this is disabled. Be aware that group sync hasn't been tested in
IPA for many years now, probably close to a decade. It may well work
fine but I'd test in a separate environment to be sure first.
Since the FreeIPA setup is not used at the moment its okay if anything breaks.
But thanks for the warning, that was unexpecting for me. I've tried changing this
using the following:
# ldapmodify -x -D "cn=directory manager" -W < change_prefix.ldap
With the file:
dn: cn=meTohades.hq.example.de,cn=replica,cn=dc\3Dpriv\2Cdc\3Dexample\
2Cdc\3Dde,cn=mapping tree,cn=config
changetype: modify
replace: nsds7WindowsReplicaSubtree
nsds7WindowsReplicaSubtree: DC=hq,DC=example,DC=de
replace: nsds7NewWinGroupSyncEnabled
nsds7NewWinGroupSyncEnabled: true
I can't find this attribute mentioned in either 389-ds or IPA so its
possible the users are being filtered for some other reason. If you flip
this to 0 are you saying they would be synced?
This attribute is an AD attribute [0] indicating that "the user had its ACLs
changed to a more secure value". I've changed the value for one user, but
this didn't change the behaviour. But doing a query for admin users using
the sync agreement user works:
# ldapsearch -xLLL \
-H ldaps://hades.hq.example.de \
-D ipa-sync(a)hq.example.de \
-W \
-b cn=users,dc=hq,dc=example,dc=de \
(CN=Theodor van Nahl)
Because of that I don't see a permission problem as cause.
Best regards,
Theo
[0]: https://docs.microsoft.com/en-us/windows/win32/adschema/a-admincount
4:11 a.m.
Hello,
for documentation purposes: I was able to fix the user sync problem. Although I am still
not sure what the cause used to be.
Here's what I've done:
yum install ca-certificates
update-ca-trust force-enable
cp {windows,freeipa}.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
ipa-replica-manage disconnect freeipa.priv.example.de hades.hq.example.de
ipa-replica-manage connect --winsync --binddn …
Previously the AD certificate has been made available to the 389-server in the same way
the documentation referred to it (see [9.4 Managing Syncronisation Agreements]). But since
I wasn't able to disconnect the replication agreement due to licensing issues, I
decided to install the certificates system wide.
Although this could not have been the cause of the partial (!) syncronisation problem I do
have now every user in FreeIPA.
So the only issue I haven't been able to resolve by now is Group Sync, but to be
blunt, there are more pressing issues for me even so its inconvenient.
I do hope that this helps someone in the future.
Best regards,
Theo
[9.4 Managing Syncronisation Agreements]:
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managin...
1721
days inactive
1723
days old
freeipa-users@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Rob Crittenden -
Theodor van Nahl