[Freeipa-devel] IPA 3.0 migrated to 4.1 users break winsync agreement when deleted in active directory

Thu Sep 10 15:06:40 UTC 2015

On 09/10/2015 05:00 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> Hmm, does this mean we need to update our HowTo on migrating FreeIPA to FreeIPA
>> via migrate-ds? It is already quite long command, mostly due to the need of
>> removing Kerberos attributes:
>>
>> http://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA
>
> I think it should. I haven't updated it because I never actually tested
> it to see that it worked as expected. It seems to be working for Andreas
> though.
>
> rob

It works for me. I have updated the page.

>
>>
>> Martin
>>
>> On 09/09/2015 09:40 PM, Andreas Calminder wrote:
>>> Hi,
>>> I just wanted to post the solution for this, I've reported this to Redhat and a bug has been filed (https://bugzilla.redhat.com/1261536). The problem was that migrate-ds copied the attribute mepManagedEntry on migration, the suggested workaround, running migrate-ds with --user-ignore-attribute=mepManagedEntry --user-ignore-objectclass=mepOriginEntry worked like a charm (Thanks Rob!), deleting users in active directory doesn't break the winsync agreement and I'm able to delete migrated users directly in ipa. As mentioned in the bug comments, migrate-ds isn't really for ipa to ipa migration. However, it kind of worked...
>>>
>>> /andreas
>>>
>>> From: freeipa-devel-bounces at redhat.com [mailto:freeipa-devel-bounces at redhat.com] On Behalf Of Andreas Calminder
>>> Sent: den 9 september 2015 17:16
>>> To: freeipa-devel at redhat.com
>>> Subject: Re: [Freeipa-devel] IPA 3.0 migrated to 4.1 users break winsync agreement when deleted in active directory
>>>
>>> Yes, kind of. I wanted a new environment with a proper certificate authority setup with only the old users and groups from the IPA 3.0 environment. The old environment use a self signed ca, I thought it would be easier to just migrate my users and groups.
>>> On 9 Sep 2015 4:49 pm, Rob Crittenden <rcritten at redhat.com> wrote:
>>> Andreas Calminder wrote:
>>>> Hi,
>>>> thanks for your reply, I'm able to list the user with ldapsearch and I
>>>> can't find any conflict entries described in the article. The 4.1
>>>> environment is only 1 server connected to active directory. Forgot to
>>>> reply to the list before, doh!
>>>>
>>>> I've noticed a difference between users in 3.0 and 4.1 though, migrated
>>>> users in the 4.1 does not have an entry in "
>>>> cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld" while users in 3.0 have this.
>>>> Example:
>>>>
>>>> FreeIPA 4.1 environment:
>>>> # ldapsearch -xLLL -D "cn=directory manager" -W
>>>> -b"cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
>>>> Enter LDAP Password:
>>>> No such object (32) Matched DN:
>>>> cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld
>>>>
>>>> FreeIPA 3.0 environment:
>>>> # ldapsearch -xLLL -D "cn=directory manager" -W -b
>>>> "cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
>>>> Enter LDAP Password:
>>>> dn: cn=batman,cn=groups,cn=accounts,dc=dev,dc=sub,dc=domain,dc=tld
>>>> objectClass: posixgroup
>>>> objectClass: ipaobject
>>>> objectClass: mepManagedEntry
>>>> objectClass: top
>>>> cn: batman
>>>> gidNumber: 1486600065
>>>> description: User private group for batman
>>>> mepManagedBy: uid=batman,cn=users,cn=accounts,dc=sub,dc=domain,dc=tld
>>>> ipaUniqueID: 139f6140-5074-11e5-a09d-005056914c0c
>>>
>>> Migrated users don't get user-private groups created.
>>>
>>> Is there a reason you migrated from 3.0 to 4.1 rather than just adding a
>>> 4.1 master to the existing pool?
>>>
>>> rob
>>>
>>>>
>>>> /andreas
>>>>
>>>> On 09/09/2015 04:29 PM, Rich Megginson wrote:
>>>>> On 09/09/2015 03:39 AM, Martin Basti wrote:
>>>>>>
>>>>>>
>>>>>> On 09/09/2015 10:50 AM, Andreas Calminder wrote:
>>>>>>> Forgot to write that deleting users in active directory not migrated
>>>>>>> with the migrate-ds command works fine, it's only migrated users
>>>>>>> present in the ad that breaks the winsync agreement on deletion.
>>>>>>>
>>>>>>> On 09/09/2015 10:35 AM, Andreas Calminder wrote:
>>>>>>>> Hi,
>>>>>>>> I've asked in #freeipa on freenode but to no avail, figured I'll
>>>>>>>> ask here as well, since I think I've actually hit a bug or (quite)
>>>>>>>> possibly I've done something moronic configuration/migration -wise.
>>>>>>>>
>>>>>>>> I've got an existing FreeIPA 3.0.0 environment running with a fully
>>>>>>>> functioning winsync agreement and passsync service with the windows
>>>>>>>> environments active directory, I'm trying to migrate the 3.0.0
>>>>>>>> environments users into a freshly installed 4.1 (rhel7)
>>>>>>>> environment, after migration I setup a winsync agreement and make
>>>>>>>> it bi-directional  (one-way sync from windows) everything seems to
>>>>>>>> be working alright until I delete a migrated user from the Active
>>>>>>>> Directory, after the winsync picks up on the change it'll break and
>>>>>>>> suggests a re-initialize. After the re-initialization the agreement
>>>>>>>> seems to be fine, however the deleted user are still present in the
>>>>>>>> ipa 4.1 environment and cannot be deleted. The webgui and ipa cli
>>>>>>>> says: ipauser1: user not found. ipa user-find ipauser1 finds the
>>>>>>>> user and it's visible in the ui.
>>>>>>>>
>>>>>>>> Anyone had the same problem or anything similar or any pointers on
>>>>>>>> where to start looking?
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Andreas
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Hello, this might be a replication conflict.
>>>>>>
>>>>>> Can you list that user via ldapsearch to check if this is replication
>>>>>> conflict?
>>>>>>
>>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
>>>>>>
>>>>>>
>>>>> Use the latest docs, just in case they are more accurate:
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
>>>>>
>>>>>
>>>>

-- 
Petr Vobornik