[Freeipa-devel] IPA 3.0 migrated to 4.1 users break winsync agreement when deleted in active directory
Andreas Calminder
andreas.calminder at nordnet.se
Fri Sep 11 05:26:59 UTC 2015
Can confirm, works well for me too. Thanks!
On 09/10/2015 05:06 PM, Petr Vobornik wrote:
> On 09/10/2015 05:00 PM, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> Hmm, does this mean we need to update our HowTo on migrating FreeIPA
>>> to FreeIPA
>>> via migrate-ds? It is already quite long command, mostly due to the
>>> need of
>>> removing Kerberos attributes:
>>>
>>> http://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA
>>>
>>
>> I think it should. I haven't updated it because I never actually tested
>> it to see that it worked as expected. It seems to be working for Andreas
>> though.
>>
>> rob
>
> It works for me. I have updated the page.
>
>>
>>>
>>> Martin
>>>
>>> On 09/09/2015 09:40 PM, Andreas Calminder wrote:
>>>> Hi,
>>>> I just wanted to post the solution for this, I've reported this to
>>>> Redhat and a bug has been filed
>>>> (https://bugzilla.redhat.com/1261536). The problem was that
>>>> migrate-ds copied the attribute mepManagedEntry on migration, the
>>>> suggested workaround, running migrate-ds with
>>>> --user-ignore-attribute=mepManagedEntry
>>>> --user-ignore-objectclass=mepOriginEntry worked like a charm
>>>> (Thanks Rob!), deleting users in active directory doesn't break the
>>>> winsync agreement and I'm able to delete migrated users directly in
>>>> ipa. As mentioned in the bug comments, migrate-ds isn't really for
>>>> ipa to ipa migration. However, it kind of worked...
>>>>
>>>> /andreas
>>>>
>>>> From: freeipa-devel-bounces at redhat.com
>>>> [mailto:freeipa-devel-bounces at redhat.com] On Behalf Of Andreas
>>>> Calminder
>>>> Sent: den 9 september 2015 17:16
>>>> To: freeipa-devel at redhat.com
>>>> Subject: Re: [Freeipa-devel] IPA 3.0 migrated to 4.1 users break
>>>> winsync agreement when deleted in active directory
>>>>
>>>> Yes, kind of. I wanted a new environment with a proper certificate
>>>> authority setup with only the old users and groups from the IPA 3.0
>>>> environment. The old environment use a self signed ca, I thought it
>>>> would be easier to just migrate my users and groups.
>>>> On 9 Sep 2015 4:49 pm, Rob Crittenden <rcritten at redhat.com> wrote:
>>>> Andreas Calminder wrote:
>>>>> Hi,
>>>>> thanks for your reply, I'm able to list the user with ldapsearch
>>>>> and I
>>>>> can't find any conflict entries described in the article. The 4.1
>>>>> environment is only 1 server connected to active directory. Forgot to
>>>>> reply to the list before, doh!
>>>>>
>>>>> I've noticed a difference between users in 3.0 and 4.1 though,
>>>>> migrated
>>>>> users in the 4.1 does not have an entry in "
>>>>> cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld" while users in 3.0
>>>>> have this.
>>>>> Example:
>>>>>
>>>>> FreeIPA 4.1 environment:
>>>>> # ldapsearch -xLLL -D "cn=directory manager" -W
>>>>> -b"cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
>>>>> Enter LDAP Password:
>>>>> No such object (32) Matched DN:
>>>>> cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld
>>>>>
>>>>> FreeIPA 3.0 environment:
>>>>> # ldapsearch -xLLL -D "cn=directory manager" -W -b
>>>>> "cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
>>>>> Enter LDAP Password:
>>>>> dn: cn=batman,cn=groups,cn=accounts,dc=dev,dc=sub,dc=domain,dc=tld
>>>>> objectClass: posixgroup
>>>>> objectClass: ipaobject
>>>>> objectClass: mepManagedEntry
>>>>> objectClass: top
>>>>> cn: batman
>>>>> gidNumber: 1486600065
>>>>> description: User private group for batman
>>>>> mepManagedBy: uid=batman,cn=users,cn=accounts,dc=sub,dc=domain,dc=tld
>>>>> ipaUniqueID: 139f6140-5074-11e5-a09d-005056914c0c
>>>>
>>>> Migrated users don't get user-private groups created.
>>>>
>>>> Is there a reason you migrated from 3.0 to 4.1 rather than just
>>>> adding a
>>>> 4.1 master to the existing pool?
>>>>
>>>> rob
>>>>
>>>>>
>>>>> /andreas
>>>>>
>>>>> On 09/09/2015 04:29 PM, Rich Megginson wrote:
>>>>>> On 09/09/2015 03:39 AM, Martin Basti wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 09/09/2015 10:50 AM, Andreas Calminder wrote:
>>>>>>>> Forgot to write that deleting users in active directory not
>>>>>>>> migrated
>>>>>>>> with the migrate-ds command works fine, it's only migrated users
>>>>>>>> present in the ad that breaks the winsync agreement on deletion.
>>>>>>>>
>>>>>>>> On 09/09/2015 10:35 AM, Andreas Calminder wrote:
>>>>>>>>> Hi,
>>>>>>>>> I've asked in #freeipa on freenode but to no avail, figured I'll
>>>>>>>>> ask here as well, since I think I've actually hit a bug or
>>>>>>>>> (quite)
>>>>>>>>> possibly I've done something moronic configuration/migration
>>>>>>>>> -wise.
>>>>>>>>>
>>>>>>>>> I've got an existing FreeIPA 3.0.0 environment running with a
>>>>>>>>> fully
>>>>>>>>> functioning winsync agreement and passsync service with the
>>>>>>>>> windows
>>>>>>>>> environments active directory, I'm trying to migrate the 3.0.0
>>>>>>>>> environments users into a freshly installed 4.1 (rhel7)
>>>>>>>>> environment, after migration I setup a winsync agreement and make
>>>>>>>>> it bi-directional (one-way sync from windows) everything
>>>>>>>>> seems to
>>>>>>>>> be working alright until I delete a migrated user from the Active
>>>>>>>>> Directory, after the winsync picks up on the change it'll
>>>>>>>>> break and
>>>>>>>>> suggests a re-initialize. After the re-initialization the
>>>>>>>>> agreement
>>>>>>>>> seems to be fine, however the deleted user are still present
>>>>>>>>> in the
>>>>>>>>> ipa 4.1 environment and cannot be deleted. The webgui and ipa cli
>>>>>>>>> says: ipauser1: user not found. ipa user-find ipauser1 finds the
>>>>>>>>> user and it's visible in the ui.
>>>>>>>>>
>>>>>>>>> Anyone had the same problem or anything similar or any
>>>>>>>>> pointers on
>>>>>>>>> where to start looking?
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Andreas
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Hello, this might be a replication conflict.
>>>>>>>
>>>>>>> Can you list that user via ldapsearch to check if this is
>>>>>>> replication
>>>>>>> conflict?
>>>>>>>
>>>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Use the latest docs, just in case they are more accurate:
>>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
>>>>>>
>>>>>>
>>>>>>
>>>>>
>
>
>
More information about the Freeipa-devel
mailing list