[Freeipa-users] winsync agreement wipes IPA users
Rich Megginson
rmeggins at redhat.com
Tue Sep 18 00:47:27 UTC 2012
On 09/17/2012 06:17 PM, Steven Jones wrote:
> Hi,
>
> The first time missed the --win-subtree settings so I wiped the admins
> in the IPA admin group and users as they were not in cn=users as per
> the bug. The second time as far as I can tell I specified the correct
> cn via win-subtree flag but I still appear to have lost the users in
> IPA.....now I expected to lose the admins but the loss of users as
> well confounds me.
>
> I did a ldapsearch as per checking and its seems to be saying the
> right folder/ou/cn but IPA is empty.
>
> Hence I was wondering if there was a log recording what the update was
> doing so I could try and figure out the mistake. Ive tried greping
> cant find any indication.
>
> I will re-try with -v, verbose.
It is not clear from the manuals, but no matter what -win-subtree you
specify, winsync will search AD starting from the dc=domain suffix. So,
for example, if you have
cn=mystaff,cn=staff,dc=example,dc=com
and you specify
--win-subtree "cn=mystaff,cn=staff,dc=example,dc=com"
winsync will still search starting from dc=example,dc=com and will hit
ticket/355 if there are any users outside of
cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a
user in IPA.
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ------------------------------------------------------------------------
> *From:* Rich Megginson [rmeggins at redhat.com]
> *Sent:* Tuesday, 18 September 2012 11:37 a.m.
> *To:* Steven Jones
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>
> On 09/17/2012 04:17 PM, Steven Jones wrote:
>> Hi,
>>
>> I just tried to do a winsync agreement with specifying the AD point
>> as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are
>> not in the users folder but the VUW_Staff folder (at the same level)
>> and it wiped all IPA users that are also in AD.
>
> Yes, this is what happens with https://fedorahosted.org/389/ticket/355
> #355 winsync should not delete entry that appears to be out of scope
>
>> While doing the actual update does this get verbosly logged anywhere
>> as opposed to "update in progress" dumped to the screen? Something
>> went badly wrong, I just dont know what.
>
> You are seeing something different than #355?
>
>>
>> :/
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120917/0d200020/attachment.htm>
More information about the Freeipa-users
mailing list