[Freeipa-devel] IPA 3.0 migrated to 4.1 users break winsync agreement when deleted in active directory
Andreas Calminder
andreas.calminder at nordnet.se
Wed Sep 9 14:44:19 UTC 2015
Hi,
thanks for your reply, I'm able to list the user with ldapsearch and I
can't find any conflict entries described in the article. The 4.1
environment is only 1 server connected to active directory. Forgot to
reply to the list before, doh!
I've noticed a difference between users in 3.0 and 4.1 though, migrated
users in the 4.1 does not have an entry in "
cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld" while users in 3.0 have this.
Example:
FreeIPA 4.1 environment:
# ldapsearch -xLLL -D "cn=directory manager" -W
-b"cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
Enter LDAP Password:
No such object (32) Matched DN:
cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld
FreeIPA 3.0 environment:
# ldapsearch -xLLL -D "cn=directory manager" -W -b
"cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
Enter LDAP Password:
dn: cn=batman,cn=groups,cn=accounts,dc=dev,dc=sub,dc=domain,dc=tld
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: batman
gidNumber: 1486600065
description: User private group for batman
mepManagedBy: uid=batman,cn=users,cn=accounts,dc=sub,dc=domain,dc=tld
ipaUniqueID: 139f6140-5074-11e5-a09d-005056914c0c
/andreas
On 09/09/2015 04:29 PM, Rich Megginson wrote:
> On 09/09/2015 03:39 AM, Martin Basti wrote:
>>
>>
>> On 09/09/2015 10:50 AM, Andreas Calminder wrote:
>>> Forgot to write that deleting users in active directory not migrated
>>> with the migrate-ds command works fine, it's only migrated users
>>> present in the ad that breaks the winsync agreement on deletion.
>>>
>>> On 09/09/2015 10:35 AM, Andreas Calminder wrote:
>>>> Hi,
>>>> I've asked in #freeipa on freenode but to no avail, figured I'll
>>>> ask here as well, since I think I've actually hit a bug or (quite)
>>>> possibly I've done something moronic configuration/migration -wise.
>>>>
>>>> I've got an existing FreeIPA 3.0.0 environment running with a fully
>>>> functioning winsync agreement and passsync service with the windows
>>>> environments active directory, I'm trying to migrate the 3.0.0
>>>> environments users into a freshly installed 4.1 (rhel7)
>>>> environment, after migration I setup a winsync agreement and make
>>>> it bi-directional (one-way sync from windows) everything seems to
>>>> be working alright until I delete a migrated user from the Active
>>>> Directory, after the winsync picks up on the change it'll break and
>>>> suggests a re-initialize. After the re-initialization the agreement
>>>> seems to be fine, however the deleted user are still present in the
>>>> ipa 4.1 environment and cannot be deleted. The webgui and ipa cli
>>>> says: ipauser1: user not found. ipa user-find ipauser1 finds the
>>>> user and it's visible in the ui.
>>>>
>>>> Anyone had the same problem or anything similar or any pointers on
>>>> where to start looking?
>>>>
>>>> Regards,
>>>> Andreas
>>>>
>>>
>>
>> Hello, this might be a replication conflict.
>>
>> Can you list that user via ldapsearch to check if this is replication
>> conflict?
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
>>
>>
> Use the latest docs, just in case they are more accurate:
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150909/53e10877/attachment.htm>
More information about the Freeipa-devel
mailing list