Hi! I followed the steps of Red Hat document to implement Windows 2000 sync with FDS. After my "initial re-synchronization" process was done, I checked my directory tree. I saw some entries like "cn=Domain Admins, ou=People, dc=example, dc=com", and it contained "Members/Static Group - uid=Administrator, , ou=People, dc=example, dc=com" in its properties. But I could not find the real entry dn named "uid=Administrator, , ou=People, dc=example, dc=com" in my ds tree. Is it the correct result? Or I did something wrong with configuration. Please tell me how to fix the problem. Thanks a lot. Regards Joe Yu
I got the same result when i did it .I guess its normal On 10/26/05, joe <joe@openpower.com.tw> wrote:> > Hi! > > I followed the steps of Red Hat document to implement Windows 2000 sync > with FDS. After my "initial re-synchronization" process was done, I checked > my directory tree. > > I saw some entries like "cn=Domain Admins, ou=People, dc=example, dc=com", > and it contained "Members/Static Group - uid=Administrator, , ou=People, > dc=example, dc=com" > > in its properties. But I could not find the real entry dn named > "uid=Administrator, , ou=People, dc=example, dc=com" in my ds tree. Is it > the correct result? Or I did > > something wrong with configuration. Please tell me how to fix the problem. > Thanks a lot. > > > Regards > Joe Yu > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- Thanks and Regards Nabeel Moidu System Administrator OnMobile System Inc Bangalore, India www.onmobile.com <http://www.onmobile.com> If we don''t believe in freedom of expression for people we despise, we don''t believe in it at all. Noam Chomsky
joe wrote:> Hi! > > I followed the steps of Red Hat document to implement Windows 2000 > sync with FDS. After my "initial re-synchronization" process was done, > I checked my directory tree. > > I saw some entries like "cn=Domain Admins, ou=People, dc=example, > dc=com", and it contained "Members/Static Group - uid=Administrator, , > ou=People, dc=example, dc=com" > > in its properties. But I could not find the real entry dn named > "uid=Administrator, , ou=People, dc=example, dc=com" in my ds tree. Is > it the correct result? Or I did > > something wrong with configuration. Please tell me how to fix the > problem. Thanks a lot.I think it''s ok. Administrator is a "pseudo" user - it''s only used for Windows domain administration. I don''t think it follows the schema for a user. Does the Administrator entry have a full name or a surname? There are other pseudo users that fall into this category, such as the kerberos kdc user. You could probably fill in the missing attributes and make it sync over, but it doesn''t really matter unless you want to use the Administrator entry on unix.> > > Regards > Joe Yu > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
joe wrote:> I followed the steps of Red Hat document to implement Windows 2000 > sync with FDS. After my "initial re-synchronization" process was done, > I checked my directory tree. > > I saw some entries like "cn=Domain Admins, ou=People, dc=example, > dc=com", and it contained "Members/Static Group - uid=Administrator, , > ou=People, dc=example, dc=com" > > in its properties. But I could not find the real entry dn named > "uid=Administrator, , ou=People, dc=example, dc=com" in my ds tree. Is > it the correct result? Or I didThis looks wrong. The double comma in the DN should be illegal. I don''t believe this is a known problem -- I''ve never seen this particular issue reported before. Do you otherwise get correct sync results ? i.e. do your regular users and groups get sync''ed ok ? If you enable replication logging, then run a re-sync, there will probably be something in the error log pertaining to this entry. That might tell us what''s going wrong.
Rich Megginson wrote:> I think it''s ok. Administrator is a "pseudo" user - it''s only used > for Windows domain administration. I don''t think it follows the > schema for a user. Does the Administrator entry have a full name or a > surname? There are other pseudo users that fall into this category, > such as the kerberos kdc user. You could probably fill in the missing > attributes and make it sync over, but it doesn''t really matter unless > you want to use the Administrator entry on unix.True (in fact, the special users in AD are not supposed to get sync''ed at all), but I''m puzzled about the group member being sync''ed. By design, only group members that are also already present in the peer directory should be sync''ed. Therefore, if things are working to plan, the Administrator user should not be sync''ed, and neither should any group member that has its DN.
於 三,2005-10-26 於 08:44 -0600,David Boreham 提到:> Rich Megginson wrote: > > > I think it''s ok. Administrator is a "pseudo" user - it''s only used > > for Windows domain administration. I don''t think it follows the > > schema for a user. Does the Administrator entry have a full name or a > > surname? There are other pseudo users that fall into this category, > > such as the kerberos kdc user. You could probably fill in the missing > > attributes and make it sync over, but it doesn''t really matter unless > > you want to use the Administrator entry on unix. > > True (in fact, the special users in AD are not supposed to get sync''ed > at all), > but I''m puzzled about the group member being sync''ed. By design, only > group members that are also already present in the peer directory should > be sync''ed. Therefore, if things are working to plan, the Administrator user > should not be sync''ed, and neither should any group member that has its > DN. >Thanks for all of these answers. But I still have a problem with it. I try to add some users in my AD and fill their property values, such as full name, surname. Then I invoke sync process again and check my directory tree in my FDS. It still have no user sync from AD. What''s wrong with it? Do I miss something important? Regards Joe --=-cIIifWHZFEuDITTctszO Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8"> <META NAME="GENERATOR" CONTENT="GtkHTML/3.3.2"> </HEAD> <BODY> 於 三,2005-10-26 於 08:44 -0600,David Boreham 提到: <BLOCKQUOTE TYPE=CITE> <PRE> <FONT COLOR="#000000">Rich Megginson wrote:</FONT> <FONT COLOR="#000000">> I think it''s ok. Administrator is a "pseudo" user - it''s only used </FONT> <FONT COLOR="#000000">> for Windows domain administration. I don''t think it follows the </FONT> <FONT COLOR="#000000">> schema for a user. Does the Administrator entry have a full name or a </FONT> <FONT COLOR="#000000">> surname? There are other pseudo users that fall into this category, </FONT> <FONT COLOR="#000000">> such as the kerberos kdc user. You could probably fill in the missing </FONT> <FONT COLOR="#000000">> attributes and make it sync over, but it doesn''t really matter unless </FONT> <FONT COLOR="#000000">> you want to use the Administrator entry on unix.</FONT> <FONT COLOR="#000000">True (in fact, the special users in AD are not supposed to get sync''ed </FONT> <FONT COLOR="#000000">at all),</FONT> <FONT COLOR="#000000">but I''m puzzled about the group member being sync''ed. By design, only</FONT> <FONT COLOR="#000000">group members that are also already present in the peer directory should</FONT> <FONT COLOR="#000000">be sync''ed. Therefore, if things are working to plan, the Administrator user</FONT> <FONT COLOR="#000000">should not be sync''ed, and neither should any group member that has its</FONT> <FONT COLOR="#000000">DN.</FONT> </PRE> </BLOCKQUOTE> Thanks for all of these answers. But I still have a problem with it. I try to add some users in <BR> my AD and fill their property values, such as full name, surname. Then I invoke sync process<BR> again and check my directory tree in my FDS. It still have no user sync from AD. What''s wrong<BR> with it? Do I miss something important?<BR> <BR> Regards<BR> Joe </BODY> </HTML> --=-cIIifWHZFEuDITTctszO--