FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 05-07-2012, 11:33 PM
Orion Poplawski
 
Default Issues with 389 <-> AD sync and user creation

We're trying to modify our already heavily modified version of fdstools to add
ntUser attributes to users. When we use it to create a new user (or add
ntUser attributes to and existing user) we end up with two new users in AD and
the cn: attribute of the user in 389 is modified to have CNF:<guid> added
which indicates a conflict in the database.


If we check the Enable NT User Attributes and create New NT Account in
389-console everything seems to work. We're not able to see what we're doing
differently. Except that perhaps 389-console is setting ntUniqueId, but I
didn't think it was supposed to do that, that the AD sync was supposed to
handle it.


In fdstools we're setting ntUserDomainId, ntUserCreateNewAccount, and
ntUserDeleteAccount. Which seems to be all we need to do according to
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html#ftn.id4791561


389-ds-1.2.1-1.el5
389-ds-base-1.2.9.9-1.el5


Ideas?

TIA,

Orion

--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 http://www.nwra.com
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-09-2012, 10:36 PM
Rich Megginson
 
Default Issues with 389 <-> AD sync and user creation

On 05/07/2012 05:33 PM, Orion Poplawski wrote:
We're trying to modify our already heavily modified version of
fdstools to add ntUser attributes to users. When we use it to create
a new user (or add ntUser attributes to and existing user) we end up
with two new users in AD and the cn: attribute of the user in 389 is
modified to have CNF:<guid> added which indicates a conflict in the
database.


If we check the Enable NT User Attributes and create New NT Account in
389-console everything seems to work. We're not able to see what
we're doing differently. Except that perhaps 389-console is setting
ntUniqueId, but I didn't think it was supposed to do that, that the AD
sync was supposed to handle it.


Right.



In fdstools we're setting ntUserDomainId, ntUserCreateNewAccount, and
ntUserDeleteAccount. Which seems to be all we need to do according to
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html#ftn.id4791561


Right.



389-ds-1.2.1-1.el5
389-ds-base-1.2.9.9-1.el5


Ideas?


Nope. Let's start with an error log from 389 using the replication
(8192) log level - http://port389.org/wiki/FAQ#Troubleshooting


I suppose you could also enable the audit log and see exactly what
sequence of operations the console does when it enables the nt attributes.




TIA,

Orion



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-11-2012, 05:35 PM
Orion Poplawski
 
Default Issues with 389 <-> AD sync and user creation

On 05/09/2012 04:36 PM, Rich Megginson wrote:

On 05/07/2012 05:33 PM, Orion Poplawski wrote:

We're trying to modify our already heavily modified version of fdstools to
add ntUser attributes to users. When we use it to create a new user (or add
ntUser attributes to and existing user) we end up with two new users in AD
and the cn: attribute of the user in 389 is modified to have CNF:<guid>
added which indicates a conflict in the database.

If we check the Enable NT User Attributes and create New NT Account in
389-console everything seems to work. We're not able to see what we're doing
differently. Except that perhaps 389-console is setting ntUniqueId, but I
didn't think it was supposed to do that, that the AD sync was supposed to
handle it.


Right.



In fdstools we're setting ntUserDomainId, ntUserCreateNewAccount, and
ntUserDeleteAccount. Which seems to be all we need to do according to
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html#ftn.id4791561



Right.



389-ds-1.2.1-1.el5
389-ds-base-1.2.9.9-1.el5


Ideas?


Nope. Let's start with an error log from 389 using the replication (8192) log
level - http://port389.org/wiki/FAQ#Troubleshooting

I suppose you could also enable the audit log and see exactly what sequence of
operations the console does when it enables the nt attributes.



Looks like our problem was that two windows sync agreements were set up
between one of our 389 masters and our two AD servers.



--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 http://www.nwra.com
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 09:49 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org