[Freeipa-users] winsync agreement wipes IPA users

Rich Megginson rmeggins at redhat.com
Thu Sep 20 23:37:02 UTC 2012 

On 09/20/2012 03:59 PM, Steven Jones wrote:
> uh....I just deleted the ad user templates but it puts them back, also 
> the disabled users are in a sub-container and when I delete them in 
> IPA they re-appear a few minutes later..
"ad user templates"?

I wonder if IPA is not setting the /|ntUserDeleteAccount|/
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Users.html
>
> :(
>
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ------------------------------------------------------------------------
> *From:* freeipa-users-bounces at redhat.com 
> [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal 
> [dpal at redhat.com]
> *Sent:* Friday, 21 September 2012 8:56 a.m.
> *To:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>
> On 09/20/2012 04:54 PM, Dmitri Pal wrote:
>> On 09/20/2012 04:43 PM, Steven Jones wrote:
>>> Some comments on the win sync agreement syntax.
>>>
>>> Hi,
>>>
>>> I'd like that command ipa-replica-manage connect  "improved" if 
>>> possible,
>>>
>>> 1) A flag on --win-subtree not to include sub-directories under the 
>>> specified OU= as I think it is why Ive picked up lots of disabled 
>>> users and templates. Also the capability to specify more than one OU 
>>> as I at least have 2 OU= with users in (maybe it can do that I just 
>>> dont see it)
>>>
>>> 2) A flag something like --exclude='LDAP 
>>> criteria/attribute'=disabled such that any disabled users in AD are 
>>> not transferred, I just transferred 7 years of ex-users and 200+ 
>>> templates I would rather not have....now I think I have a huge 
>>> cleanup task.  Not just exclude, say location, so if I only want to 
>>> sync users in one city (say) --include-only="LDAP Location'=Wellington
>>>
>>> Not sure if these are hugely useful but they would have helped me.
>>
>> Thank you for the feedback.
>> Would you mind filing BZs or trac tickets?
>
> NM. Rich bit me.
>
>
>
>>
>>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>> ------------------------------------------------------------------------
>>> *From:* freeipa-users-bounces at redhat.com 
>>> [freeipa-users-bounces at redhat.com] on behalf of Steven Jones 
>>> [Steven.Jones at vuw.ac.nz]
>>> *Sent:* Thursday, 20 September 2012 2:48 p.m.
>>> *Cc:* freeipa-users at redhat.com
>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>
>>> it isnt,
>>>
>>> Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly 
>>> working except Im also getting some "rubbish" so its looking like 
>>> the import script/query to AD isnt right.
>>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>> ------------------------------------------------------------------------
>>> *From:* freeipa-users-bounces at redhat.com 
>>> [freeipa-users-bounces at redhat.com] on behalf of Steven Jones 
>>> [Steven.Jones at vuw.ac.nz]
>>> *Sent:* Thursday, 20 September 2012 12:15 p.m.
>>> *Cc:* freeipa-users at redhat.com
>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>
>>> Hi,
>>>
>>> I have -win-subtree cn= etc I take it that cn= is fine and that ou= 
>>> and cn= are the same thing?
>>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>> *Sent:* Thursday, 20 September 2012 11:03 a.m.
>>> *To:* Steven Jones
>>> *Cc:* freeipa-users at redhat.com
>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>
>>> On 09/19/2012 04:55 PM, Steven Jones wrote:
>>>> Hi,
>>>>
>>>>
>>>> Sample of errors log,
>>>>
>>>> =========
>>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog 
>>>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for 
>>>> database 
>>>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
>>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog 
>>>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for 
>>>> database 
>>>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
>>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
>>>> ruv_update_ruv: successfully committed csn 504d01f7000000110000
>>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
>>>> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): 
>>>> State: stop_fatal_error -> stop_fatal_error
>>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
>>>> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): 
>>>> State: stop_fatal_error -> stop_fatal_error
>>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
>>>> ruv_add_csn_inprogress: successfully inserted csn 
>>>> 504d01f8000000110000 into pending list
>>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - Purged state 
>>>> information from entry 
>>>> uid=jonesst1,cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz up to 
>>>> CSN 504d42c5000000040000
>>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog 
>>>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for 
>>>> database 
>>>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
>>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog 
>>>> program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for 
>>>> database 
>>>> /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe64000000040000.db4
>>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
>>>> ruv_update_ruv: successfully committed csn 504d01f8000000110000
>>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
>>>> agmt="cn=meTovuwunicoipam002.ods.vuw.ac.nz" (vuwunicoipam002:389): 
>>>> State: stop_fatal_error -> stop_fatal_error
>>>> [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - 
>>>> agmt="cn=meTovuwunicoipam003.ods.vuw.ac.nz" (vuwunicoipam003:389): 
>>>> State: stop_fatal_error -> stop_fatal_error
>>>> =========
>>>
>>> Is cn=meTovuwunicoipam003.ods.vuw.ac.nz the windows sync agreement?
>>>
>>>>
>>>>
>>>>
>>>> regards
>>>>
>>>> Steven Jones
>>>>
>>>> Technical Specialist - Linux RHCE
>>>>
>>>> Victoria University, Wellington, NZ
>>>>
>>>> 0064 4 463 6272
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>>> *Sent:* Wednesday, 19 September 2012 12:32 a.m.
>>>> *To:* Steven Jones
>>>> *Cc:* freeipa-users at redhat.com
>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>>
>>>> On 09/17/2012 07:10 PM, Steven Jones wrote:
>>>>> Hi,
>>>>>
>>>>> I understand that I'll lose users that are cn=Staff_Admins,dc=etc
>>>>>
>>>>> So the Q is why I am losing users in the --win-subtree 
>>>>> cn=VUW_Staff,dc= etc
>>>>
>>>>
>>>>
>>>>>
>>>>> This I dont understand....
>>>>>
>>>>> I have the -v already, anyway to make it very verbose?
>>>>
>>>> http://port389.org/wiki/FAQ#Troubleshooting
>>>> Use the replication log level  8192
>>>> I'd like to see the directory server errors log 
>>>> /var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries 
>>>> under the --win-subtree cn=VUW_Staff,dc= etc
>>>>
>>>>>
>>>>> regards
>>>>>
>>>>> Steven Jones
>>>>>
>>>>> Technical Specialist - Linux RHCE
>>>>>
>>>>> Victoria University, Wellington, NZ
>>>>>
>>>>> 0064 4 463 6272
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>>>> *Sent:* Tuesday, 18 September 2012 12:47 p.m.
>>>>> *To:* Steven Jones
>>>>> *Cc:* freeipa-users at redhat.com
>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>>>
>>>>> On 09/17/2012 06:17 PM, Steven Jones wrote:
>>>>>> Hi,
>>>>>>
>>>>>> The first time missed the --win-subtree settings so I wiped the 
>>>>>> admins in the IPA admin group and users as they were not in 
>>>>>> cn=users as per the bug.  The second time as far as I can tell I 
>>>>>> specified the correct cn via win-subtree flag but I still appear 
>>>>>> to have lost the users in IPA.....now I expected to lose the 
>>>>>> admins but the loss of users as well confounds me.
>>>>>>
>>>>>> I did a ldapsearch as per checking and its seems to be saying the 
>>>>>> right folder/ou/cn but IPA is empty.
>>>>>>
>>>>>> Hence I was wondering if there was a log recording what the 
>>>>>> update was doing so I could try and figure out the mistake.  Ive 
>>>>>> tried greping cant find any indication.
>>>>>>
>>>>>> I will re-try with -v, verbose.
>>>>>
>>>>> It is not clear from the manuals, but no matter what -win-subtree 
>>>>> you specify, winsync will search AD starting from the dc=domain 
>>>>> suffix.  So, for example, if you have
>>>>> cn=mystaff,cn=staff,dc=example,dc=com
>>>>> and you specify
>>>>> --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com"
>>>>> winsync will still search starting from dc=example,dc=com and will 
>>>>> hit ticket/355 if there are any users outside of 
>>>>> cn=mystaff,cn=staff,dc=example,dc=com that have the same username 
>>>>> as a user in IPA.
>>>>>
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Steven Jones
>>>>>>
>>>>>> Technical Specialist - Linux RHCE
>>>>>>
>>>>>> Victoria University, Wellington, NZ
>>>>>>
>>>>>> 0064 4 463 6272
>>>>>>
>>>>>> ------------------------------------------------------------------------
>>>>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>>>>> *Sent:* Tuesday, 18 September 2012 11:37 a.m.
>>>>>> *To:* Steven Jones
>>>>>> *Cc:* freeipa-users at redhat.com
>>>>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>>>>
>>>>>> On 09/17/2012 04:17 PM, Steven Jones wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I just tried to do a winsync agreement with specifying the AD 
>>>>>>> point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz  as my 
>>>>>>> users are not in the users folder but the VUW_Staff folder (at 
>>>>>>> the same level) and it wiped all IPA users that are also in AD.
>>>>>>
>>>>>> Yes, this is what happens with 
>>>>>> https://fedorahosted.org/389/ticket/355
>>>>>> #355     winsync should not delete entry that appears to be out 
>>>>>> of scope
>>>>>>
>>>>>>> While doing the actual update does this get verbosly logged 
>>>>>>> anywhere as opposed to "update in progress" dumped to the 
>>>>>>> screen?  Something went badly wrong, I just dont know what.
>>>>>>
>>>>>> You are seeing something different than #355?
>>>>>>
>>>>>>>
>>>>>>> :/
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> Steven Jones
>>>>>>>
>>>>>>> Technical Specialist - Linux RHCE
>>>>>>>
>>>>>>> Victoria University, Wellington, NZ
>>>>>>>
>>>>>>> 0064 4 463 6272
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Freeipa-users mailing list
>>>>>>> Freeipa-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> -- 
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120920/4dbe1bfc/attachment.htm>

More information about the Freeipa-users mailing list