[Freeipa-devel] IPA 3.0 migrated to 4.1 users break winsync agreement when deleted in active directory

Andreas Calminder andreas.calminder at nordnet.se
Fri Sep 11 05:26:59 UTC 2015 

Can confirm, works well for me too. Thanks!

On 09/10/2015 05:06 PM, Petr Vobornik wrote:
> On 09/10/2015 05:00 PM, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> Hmm, does this mean we need to update our HowTo on migrating FreeIPA 
>>> to FreeIPA
>>> via migrate-ds? It is already quite long command, mostly due to the 
>>> need of
>>> removing Kerberos attributes:
>>>
>>> http://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA 
>>>
>>
>> I think it should. I haven't updated it because I never actually tested
>> it to see that it worked as expected. It seems to be working for Andreas
>> though.
>>
>> rob
>
> It works for me. I have updated the page.
>
>>
>>>
>>> Martin
>>>
>>> On 09/09/2015 09:40 PM, Andreas Calminder wrote:
>>>> Hi,
>>>> I just wanted to post the solution for this, I've reported this to 
>>>> Redhat and a bug has been filed 
>>>> (https://bugzilla.redhat.com/1261536). The problem was that 
>>>> migrate-ds copied the attribute mepManagedEntry on migration, the 
>>>> suggested workaround, running migrate-ds with 
>>>> --user-ignore-attribute=mepManagedEntry 
>>>> --user-ignore-objectclass=mepOriginEntry worked like a charm 
>>>> (Thanks Rob!), deleting users in active directory doesn't break the 
>>>> winsync agreement and I'm able to delete migrated users directly in 
>>>> ipa. As mentioned in the bug comments, migrate-ds isn't really for 
>>>> ipa to ipa migration. However, it kind of worked...
>>>>
>>>> /andreas
>>>>
>>>> From: freeipa-devel-bounces at redhat.com 
>>>> [mailto:freeipa-devel-bounces at redhat.com] On Behalf Of Andreas 
>>>> Calminder
>>>> Sent: den 9 september 2015 17:16
>>>> To: freeipa-devel at redhat.com
>>>> Subject: Re: [Freeipa-devel] IPA 3.0 migrated to 4.1 users break 
>>>> winsync agreement when deleted in active directory
>>>>
>>>> Yes, kind of. I wanted a new environment with a proper certificate 
>>>> authority setup with only the old users and groups from the IPA 3.0 
>>>> environment. The old environment use a self signed ca, I thought it 
>>>> would be easier to just migrate my users and groups.
>>>> On 9 Sep 2015 4:49 pm, Rob Crittenden <rcritten at redhat.com> wrote:
>>>> Andreas Calminder wrote:
>>>>> Hi,
>>>>> thanks for your reply, I'm able to list the user with ldapsearch 
>>>>> and I
>>>>> can't find any conflict entries described in the article. The 4.1
>>>>> environment is only 1 server connected to active directory. Forgot to
>>>>> reply to the list before, doh!
>>>>>
>>>>> I've noticed a difference between users in 3.0 and 4.1 though, 
>>>>> migrated
>>>>> users in the 4.1 does not have an entry in "
>>>>> cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld" while users in 3.0 
>>>>> have this.
>>>>> Example:
>>>>>
>>>>> FreeIPA 4.1 environment:
>>>>> # ldapsearch -xLLL -D "cn=directory manager" -W
>>>>> -b"cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
>>>>> Enter LDAP Password:
>>>>> No such object (32) Matched DN:
>>>>> cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld
>>>>>
>>>>> FreeIPA 3.0 environment:
>>>>> # ldapsearch -xLLL -D "cn=directory manager" -W -b
>>>>> "cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
>>>>> Enter LDAP Password:
>>>>> dn: cn=batman,cn=groups,cn=accounts,dc=dev,dc=sub,dc=domain,dc=tld
>>>>> objectClass: posixgroup
>>>>> objectClass: ipaobject
>>>>> objectClass: mepManagedEntry
>>>>> objectClass: top
>>>>> cn: batman
>>>>> gidNumber: 1486600065
>>>>> description: User private group for batman
>>>>> mepManagedBy: uid=batman,cn=users,cn=accounts,dc=sub,dc=domain,dc=tld
>>>>> ipaUniqueID: 139f6140-5074-11e5-a09d-005056914c0c
>>>>
>>>> Migrated users don't get user-private groups created.
>>>>
>>>> Is there a reason you migrated from 3.0 to 4.1 rather than just 
>>>> adding a
>>>> 4.1 master to the existing pool?
>>>>
>>>> rob
>>>>
>>>>>
>>>>> /andreas
>>>>>
>>>>> On 09/09/2015 04:29 PM, Rich Megginson wrote:
>>>>>> On 09/09/2015 03:39 AM, Martin Basti wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 09/09/2015 10:50 AM, Andreas Calminder wrote:
>>>>>>>> Forgot to write that deleting users in active directory not 
>>>>>>>> migrated
>>>>>>>> with the migrate-ds command works fine, it's only migrated users
>>>>>>>> present in the ad that breaks the winsync agreement on deletion.
>>>>>>>>
>>>>>>>> On 09/09/2015 10:35 AM, Andreas Calminder wrote:
>>>>>>>>> Hi,
>>>>>>>>> I've asked in #freeipa on freenode but to no avail, figured I'll
>>>>>>>>> ask here as well, since I think I've actually hit a bug or 
>>>>>>>>> (quite)
>>>>>>>>> possibly I've done something moronic configuration/migration 
>>>>>>>>> -wise.
>>>>>>>>>
>>>>>>>>> I've got an existing FreeIPA 3.0.0 environment running with a 
>>>>>>>>> fully
>>>>>>>>> functioning winsync agreement and passsync service with the 
>>>>>>>>> windows
>>>>>>>>> environments active directory, I'm trying to migrate the 3.0.0
>>>>>>>>> environments users into a freshly installed 4.1 (rhel7)
>>>>>>>>> environment, after migration I setup a winsync agreement and make
>>>>>>>>> it bi-directional  (one-way sync from windows) everything 
>>>>>>>>> seems to
>>>>>>>>> be working alright until I delete a migrated user from the Active
>>>>>>>>> Directory, after the winsync picks up on the change it'll 
>>>>>>>>> break and
>>>>>>>>> suggests a re-initialize. After the re-initialization the 
>>>>>>>>> agreement
>>>>>>>>> seems to be fine, however the deleted user are still present 
>>>>>>>>> in the
>>>>>>>>> ipa 4.1 environment and cannot be deleted. The webgui and ipa cli
>>>>>>>>> says: ipauser1: user not found. ipa user-find ipauser1 finds the
>>>>>>>>> user and it's visible in the ui.
>>>>>>>>>
>>>>>>>>> Anyone had the same problem or anything similar or any 
>>>>>>>>> pointers on
>>>>>>>>> where to start looking?
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Andreas
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Hello, this might be a replication conflict.
>>>>>>>
>>>>>>> Can you list that user via ldapsearch to check if this is 
>>>>>>> replication
>>>>>>> conflict?
>>>>>>>
>>>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html 
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Use the latest docs, just in case they are more accurate:
>>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html 
>>>>>>
>>>>>>
>>>>>>
>>>>>
>
>
>

More information about the Freeipa-devel mailing list