[Freeipa-users] winsync agreement transferred users not going into ipausers and existing users dropped from all their groups

[Steven Jones]

8><--------

> This and not bringing over all users because the user can have a sub-folder for mobile phone sync so gets wiped by the previous bug we discussed are total show stoppers for our IPA and RHEL desktop deployment,
This is a new one, perhaps I missed it.  If an AD user has a sub-folder,
that user is not synced to IPA, and due to #355     winsync should not
delete entry that appears to be out of scope it then is deleted from IPA?

In this case, should winsync sync the sub-folder, or ignore it, and just
sync the user entry?

I think I asked / suggested for this as a flag --exclude-subfolders or similar....It might fix it but AD's can be modded so much it might be a nightmare and you will need some serious testing per site.

8><---------

I will try and describe this as best I can....

so the user is (hope this is understandable)

cn=user,ou=VUW_Staff,dc=staff,dc=vuw etc

What looks to be happening is (my best guess) the user gets synced over as its -win-subtree= ou=VUW_Staff,dc=staff,dc=vuw etc   but then there is a sort of simlink thing from cn=exchangesyncusers,cn=user,dc=staff,dc=vuw etc   thats actually to a subdirectory under some of  users...  The ones with mobile smart phones, maybe you can swing an iphone5 each to test...;)

Hence I think the known bug coming into play as the agreement is moving the user over and its next object is the cn=exchangesyncusers,cn=user,ou=VUW_Staff,dc=vuw  etc so it promptly deletes the user it just added.

This exchange-sync-user subfolder is invisible until you go to advanced view and turn the users into folders and scroll down and find the user (it took our exchange guru to show me) at that point this sync to exchange folder "appears" and its oops time.

:/

I guess the problem is AD can be changed so much from a vanilla layout that finding these odd things and allowing for it in the winsync command is a bit of a nightmare, especially if you dont know there is an advanced AD view!

I certainly suggest that unless whomever can deploy this doesnt do it live first off but in a test environment with a FULL copy of their AD.  My management actually wanted me to do a simple test AD environment as a trial, that wouldnt have picked this up until too late when I did it on production.

I think I asked for a --exclude-subfolders flag which would cover our disabled users as its a subfolder under the --win-subtree=OU=VUW_Staff....but it looks like this is a symlink at a peer level, so actually fixing the #355 bug would stop it being an issue I think.

 Im at home today so I cant supply much more info right now but I'll try on Monday if you need more...

regards