[Freeipa-devel] IPA 3.0 migrated to 4.1 users break winsync agreement when deleted in active directory

[Martin Basti]

On 09/09/2015 10:50 AM, Andreas Calminder wrote:
> Forgot to write that deleting users in active directory not migrated 
> with the migrate-ds command works fine, it's only migrated users 
> present in the ad that breaks the winsync agreement on deletion.
>
> On 09/09/2015 10:35 AM, Andreas Calminder wrote:
>> Hi,
>> I've asked in #freeipa on freenode but to no avail, figured I'll ask 
>> here as well, since I think I've actually hit a bug or (quite) 
>> possibly I've done something moronic configuration/migration -wise.
>>
>> I've got an existing FreeIPA 3.0.0 environment running with a fully 
>> functioning winsync agreement and passsync service with the windows 
>> environments active directory, I'm trying to migrate the 3.0.0 
>> environments users into a freshly installed 4.1 (rhel7) environment, 
>> after migration I setup a winsync agreement and make it 
>> bi-directional  (one-way sync from windows) everything seems to be 
>> working alright until I delete a migrated user from the Active 
>> Directory, after the winsync picks up on the change it'll break and 
>> suggests a re-initialize. After the re-initialization the agreement 
>> seems to be fine, however the deleted user are still present in the 
>> ipa 4.1 environment and cannot be deleted. The webgui and ipa cli 
>> says: ipauser1: user not found. ipa user-find ipauser1 finds the user 
>> and it's visible in the ui.
>>
>> Anyone had the same problem or anything similar or any pointers on 
>> where to start looking?
>>
>> Regards,
>> Andreas
>>
>

Hello, this might be a replication conflict.

Can you list that user via ldapsearch to check if this is replication 
conflict?

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html