In ipaserver/install/replication.py::setup_agreement() the value for nsds5ReplicaStripAttrs is added after the agreement is created.
This is masked when installing a new replica because the update fixup plugin is executed and the agreement is repaired.
If you do a connect between two masters then this attribute won't be added to the agreement.
A workaround is to run ipa-ldap-updater after doing a connect.
This was noticed in DS ticket https://fedorahosted.org/389/ticket/47386
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1023085
master: 9a368b6[[BR]] ipa-3-3: e2a4deb
Current fix breaks winsync:
# ipa-replica-manage connect --winsync --passsync=password --cacert=/tmp/tmp.HoMxuBdA3E/ADcert.cer squab.adrelm.com --binddn "CN=Administrator,CN=Users,DC=adrelm,DC=com" --bindpw Secret123 -v -p Secret123 ipa: INFO: AD Suffix is: DC=adrelm,DC=com Added CA certificate /tmp/tmp.HoMxuBdA3E/ADcert.cer to certificate database for hp-z600-01.testrelm.com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=testrelm,dc=com Windows PassSync entry exists, not resetting password unexpected error: attribute "nsds5ReplicaStripAttrs" not allowed
master: f9a8a30[[BR]] ipa-3-3: efdeb0b
Metadata Update from @rcritten: - Issue assigned to akrivoka - Issue set to the milestone: FreeIPA 3.3.x - 2013/11 (bug fixing)
Login to comment on this ticket.