[Freeipa-users] winsync agreement

Rich Megginson rmeggins at redhat.com
Fri Sep 14 00:00:54 UTC 2012 

On 09/13/2012 05:53 PM, Steven Jones wrote:
> =======
> "Please explain "std AD"."
> =======
>
> under 8.4.2 page 178 the option listed as,
>
> --win-subtree says the default is cn=Users,$SUFFIX.
>
> Which I am told is "standard" AD layout.
Yes.  That is the default AD user container.
>
> I assume the $SUFFIX is staff.vuw.ac.nz in my case with IPA as ods.vuw.ac.nz.  So I want to map  cn=staff,dc=staff,dc=vuw,dc=ac,dc=nz to cn=users??,dc=ods,dc=vuw,dc=ac,dc=nz.
I think it's cn=users,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz in IPA
>
> at least I think so.
>
> So I take it I should set, --win-subtree cn=staff,$SUFFIX in the command line to make an agreement?
Yes.
>
> So for the IPA admin group I dont want to sync the admins, they are not in cn=staff but in cn=staff_admins I want them not to sync but I also dont want them wiped out.
Are there corresponding users in IPA where the IPA uid is the same as 
the AD samaccountname of a user in the admin subtree?
>
> Users are simply a user say steven with no privileges. An admin is admin-steven with more permissions so I have 2 logins and 2 passwords depending on the work, its our security policy.
>
> ==========
> "But why do you have users with the same userid in AD out of the scope of
> the sync agreement with the same userid as an IPA user?"
> ==========
>
> Probably because I dont have enough knowledge of IPA and even less of AD.
What I mean is this - for example, you have
cn=steven jones,cn=staff,$SUFFIX with samaccountname sjones
cn=admin-steven,cn=staff,$SUFFIX with samaccountname admin-steven
in AD and
uid=sjones,cn=staff,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz
uid=admin-steven,cn=staff-admin,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz

So in the IPA user container, you have both users that you want to sync 
(in the windows subtree scope cn=staff,$SUFFIX), and users that you 
don't want to sync (in 
cn=staff-admin,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz)?

If so, what you are seeing is that in IPA, uid=admin-steven is deleted, 
but not uid=sjones.
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: Rich Megginson [rmeggins at redhat.com]
> Sent: Friday, 14 September 2012 11:15 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] winsync agreement
>
> On 09/13/2012 05:11 PM, Steven Jones wrote:
>> Hi,
>>
>> So I have 6.3 and just lost all my IPA users.
> In production or in a test environment?
>> So anyone on 6.2/6.3 until they upgrade after December's 6.4 could lose all their IPA users if they do a winsync agreement and dont twig to that option being essential if they dont have a std AD.
> Please explain "std AD".
>> Not only that my admins are in a separate OU, so even if I had done a --win-subtree=cn=staff_users admins being elsewhere would have gone bye bye anyway.
> Let's say you have in AD
> cn=Users,dc=example,dc=com
> cn=Adminusers,dc=example,dc=com
>
> and in IPA
> cn=users,cn=accounts,dc=example,dc=com
>
> and you set up your winsync agreement as
>
> nsds7WindowsReplicaSubtree: cn=Users,dc=example,dc=com
> nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=example,dc=com
>
> That is, you want users in cn=Users,dc=example,dc=com to be in sync with
> cn=users,cn=accounts,dc=example,dc=com
>
> IPA uses a flat dit - users are grouped not by hierarchy but by
> attributes, as opposed to AD which uses hierarchies for grouping.  So
> IPA "flattens" hierarchies when it syncs users from AD to DS.
>
> Let's say you have
> cn=jsmith,cn=Adminusers,dc=example,dc=com with samaccountname: jsmith
> and
> uid=jsmith,cn=Users,dc=example,dc=com
>
> because of the way that winsync works, it will think because the AD
> entry and the IPA have the same userid, they should be in sync - but
> because cn=jsmith,cn=Adminusers,dc=example,dc=com is outside the scope
> of cn=Users,dc=example,dc=com winsync will think that the user has moved
> outside the scope of the agreement, and will delete the user.  Obviously
> it should not do that by default, hence
> https://fedorahosted.org/389/ticket/355
>
> But why do you have users with the same userid in AD out of the scope of
> the sync agreement with the same userid as an IPA user?
>
>
>
>> Luckily I hadnt disabled the admin account yet.....it was the only one left.
>>
>> I guess this stuff is a lot more complex than it looks.
>>
>> :/
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> 8><-----
>> will be fixed in RHEL 6.4 - not sure what you mean by "RHEL6 production
>> tree"
>> 8><----
>
>

More information about the Freeipa-users mailing list