[389-users] loss of group members in AD after initialization of sync
Jean-Noel Chardron
Jean-Noel.Chardron at dr15.cnrs.fr
Mon Jun 15 20:24:44 UTC 2009
Richard Megginson a écrit :
> ----- "jean-Noël Chardron" <Jean-Noel.Chardron at dr15.cnrs.fr> wrote:
>
>
>> hello,
>>
>> When I initiate a first full synchronization of DS and AD I lost
>> members
>> in groups
>>
>> error log shows :
>>
>> [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: looking for local entry matching
>>
>> AD entry [CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
>> [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
>>
>> [c0e73a492ffbc04c9e85781a68f45023]
>> [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
>> [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid
>> [SFC]
>> [...]
>> [10/Jun/2009:15:00:11 +0200] - Windows sync entry: Adding new local
>> entry dn: cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
>> objectClass: top
>> objectClass: groupofuniquenames
>> objectClass: ntGroup
>> ntGroupDeleteGroup: true
>> cn: SFC
>> description: Service Financier et Comptable
>> uniqueMember: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15,
>> dc=cnrs, dc=
>> fr
>> uniqueMember:[...]
>> follow 10 members
>>
>> [...]
>> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - received entry
>> from
>> dirsync: CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
>> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: looking for local entry matching
>>
>> AD entry [CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
>> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
>>
>> [0cdf6e627d64684cb10c70b3b8753fda]
>> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
>> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid
>> [MX]
>> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: problem looking for username:
>> -1
>> [10/Jun/2009:15:00:24 +0200] - Windows sync entry: Adding new local
>> entry dn: uid=MX,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs,
>> dc=fr
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalperson
>> objectClass: inetOrgPerson
>> objectClass: ntUser
>> ntUserDeleteAccount: true
>> uid: MX
>> sn: MX
>> givenName: Guillaume
>> cn: MX
>> ntUserCodePage: 0
>> ntUserAcctExpires: 0
>> ntUserDomainId: MX
>> mail: Guillaume.MX at dr15.cnrs.fr
>> ntUniqueId: 0cdf6e627d64684cb10c70b3b8753fda
>>
>>
>> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): windows_process_total_entry: Looking
>> dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" (ours)
>> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS
>> dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr"
>> guid="c0e73a492ffbc04c9e85781a68f45023"
>> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS
>> dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr"
>> username="SFC"
>> [10/Jun/2009:15:01:34 +0200] - Calling windows entry search request
>> plugin
>> [10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2
>> messages, 1 entries, 0 references
>> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_outbound: found AD entry
>> dn="CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr"
>> [10/Jun/2009:15:01:34 +0200] - Calling windows entry search request
>> plugin
>> [10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2
>> messages, 1 entries, 0 references
>> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin -
>> windows_generate_update_mods:
>> CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, description :
>> values are equal
>> [10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found for
>>
>> uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
>> [10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found for
>> uid=
>>
>> [follow 10 entries,]
>>
>> [10/Jun/2009:15:01:35 +0200] - Calling windows entry search request
>> plugin
>> [10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2
>> messages, 1 entries, 0 references
>> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: looking for local entry matching
>>
>> AD entry
>> [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
>> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
>>
>> [72a7171ffaa0d84a9ca4ec2d90a4ab2b]
>> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
>> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid
>> [essaibug]
>> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: problem looking for username:
>> -1
>> [10/Jun/2009:15:01:35 +0200] - Calling windows entry search request
>> plugin
>> [10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2
>> messages, 1 entries, 0 references
>>
>> [10/Jun/2009:15:01:38 +0200] NSMMReplicationPlugin -
>> windows_generate_update_mods:
>> CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, sAMAccountName
>> :
>> values are equal
>> [10/Jun/2009:15:01:38 +0200] - smod - windows sync
>> [10/Jun/2009:15:01:38 +0200] - smod 0 - delete: member
>> [10/Jun/2009:15:01:38 +0200] - smod 0 - value: member:
>> CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
>> [10/Jun/2009:15:01:38 +0200] - smod 1 - delete: member
>> [10/Jun/2009:15:01:38 +0200] - smod 1 - value: member:
>>
>> [follow the 10 entries]
>>
>> [10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin -
>> windows_update_remote_entry: modifying entry
>> CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
>> [10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): Received result code 0 () for modify operation
>>
>> [10/Jun/2009:15:01:55 +0200] - map_dn_values: no local entry found for
>>
>> uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
>>
>> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - received entry
>> from
>> dirsync:
>> CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
>> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: looking for local entry matching
>>
>> AD entry
>> [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
>> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
>>
>> [72a7171ffaa0d84a9ca4ec2d90a4ab2b]
>> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
>> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid
>> [essaibug]
>> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_inbound: problem looking for username:
>> -1
>> [10/Jun/2009:15:05:52 +0200] - Windows sync entry: Adding new local
>> entry dn: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs,
>> dc=fr
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalperson
>> objectClass: inetOrgPerson
>> objectClass: ntUser
>> ntUserDeleteAccount: true
>> uid: essaibug
>> sn: essaibug
>> cn: essaibug
>> ntUserCodePage: 0
>> ntUserAcctExpires: 9223372036854775807
>> ntUserDomainId: essaibug
>> ntUniqueId: 72a7171ffaa0d84a9ca4ec2d90a4ab2b
>>
>> [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS
>> dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs,
>> dc=fr"
>> guid="72a7171ffaa0d84a9ca4ec2d90a4ab2b"
>> [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS
>> dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs,
>> dc=fr"
>> username="essaibug"
>> [10/Jun/2009:15:07:13 +0200] - Calling windows entry search request
>> plugin
>> [10/Jun/2009:15:07:13 +0200] - windows_search_entry: recieved 2
>> messages, 1 entries, 0 references
>> [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin -
>> agmt="cn=zebigbos"
>> (zebigbos:636): map_entry_dn_outbound: found AD entry
>> dn="CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr"
>>
>> (following the translation of google)
>> I suppose that during the initialization of the replication, groups
>> have
>> lost members (group sfc) with the logs in order explicit removal of
>> the
>> member in the group, sent by the DS to AD. The most likely explanation
>>
>> and that the process is sequential but with a dispatch from AD to
>> DS-anarchic, with a group can be created before members in DS users.
>> these are leading to a later stage in a request for suppresssion AD DS
>>
>> to members of the group that did not exist before the creation of the
>>
>> group. This is "normal" since DS checks the consistency of information
>>
>> and therefore the group members. The solution to this problem is to
>> create manually in the AD to add the lost members in the group or may
>> be
>> to initialize sync twice in a closed time.
>>
>> The administrator of the Windows server and the AD insulted me as a
>> result of this blunder
>> I asked him if he had a backup of the AD. he had not
>>
>>
>
> So let me see if I understand what is happening:
> DS attempts to sync some groups from AD - since the user does not exist, it deletes the member from the group. Then it syncs the group back to AD, and deletes those users from AD.
> Is that correct?
> I suppose a workaround would be to make sure all of the users are first added to DS, then sync the groups.
>
yes, that is correct.
>> --
>>
>> Jean-Noel Chardron
>>
>>
>> --
>> 389 users mailing list
>> 389-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
More information about the Fedora-directory-users
mailing list