[Freeipa-users] winsync agreement

Rich Megginson rmeggins at redhat.com
Fri Sep 14 15:47:55 UTC 2012 

On 09/14/2012 09:20 AM, Dmitri Pal wrote:
> On 09/13/2012 08:10 PM, Steven Jones wrote:
>> =====
>> Are there corresponding users in IPA where the IPA uid is the same as
>> the AD samaccountname of a user in the admin subtree?
>> =====
>>
>> I think the answer to that is yes.
>>
>> "admin-steven" in IPA  also exists in AD as "admin-steven".   So if I had set the two to different names the one in IPA  would  not have been wiped in IPA.
>>
>> :/
> So now that we understand the crux of the problem, Steven can you advise
> us on what we should have said and where (in docs or somewhere else)
> about this logic.
> Keep in mind that winsync is based on DS sync and we did not have this
> problem in DS in the past.
Right.  It was a bug introduced into the winsync code around 1.2.9 or 
so, when we changed winsync to support entry move and subtree rename.  
We mistakenly thought that this particular section of code would only 
apply when an entry was moved from within the sync subtree to outside of 
the sync subtree, in which case it seemed logical at the time to delete 
the DS entry.  The code has been changed in 1.2.11.14 to do one of 3 
things in this case 1) do nothing 2) delete the entry 3) unsync the entry.

> With IPA we have a flat tree but same problem can be faced in pure 389 DS.
Yes.
>
> I hope you realize that we did not do it on purpose. We definitely did
> not realize that anyone would be manually creating users with the same
> names. From the point of the sync algorithm it made sense to do what we
> have implemented as it seemed logical. JR faced this issue and filed a
> bug. We agreed with it but we still thought that it is a fairly corner
> case, this is why we did not file an errata or anything like.
Right.  This case is caused when you have in AD
dn: cn=Steve Jones,cn=Users,dc=example,dc=com
samaccountname: sjones
and
dn: cn=Steve Jones,cn=AdminUsers,dc=example,dc=com
samaccountname: sjones

We didn't think at the time that it made sense to do something like 
this, since the username is usually supposed to be unique within a 
domain - why would you have two user entries with the same username?

>
> However this is not the point. Back to my question. How could we
> prevented this problem for you to make an informed decision and not do
> what you have done? Also realistically do you think it should be an
> errata? Doing an errata comes with a cost and the cost will be the
> features and bug fixes from the later version. Sometimes the errata is
> absolutely necessary but is it necessary now?
>
>
>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list