[Freeipa-users] winsync agreement wipes IPA users
Rich Megginson
rmeggins at redhat.com
Tue Sep 18 12:32:16 UTC 2012
On 09/17/2012 07:10 PM, Steven Jones wrote:
> Hi,
>
> I understand that I'll lose users that are cn=Staff_Admins,dc=etc
>
> So the Q is why I am losing users in the --win-subtree
> cn=VUW_Staff,dc= etc
>
> This I dont understand....
>
> I have the -v already, anyway to make it very verbose?
http://port389.org/wiki/FAQ#Troubleshooting
Use the replication log level 8192
I'd like to see the directory server errors log
/var/log/dirsrv/slapd-DOMAIN/errors when winsync deletes entries under
the --win-subtree cn=VUW_Staff,dc= etc
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ------------------------------------------------------------------------
> *From:* Rich Megginson [rmeggins at redhat.com]
> *Sent:* Tuesday, 18 September 2012 12:47 p.m.
> *To:* Steven Jones
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>
> On 09/17/2012 06:17 PM, Steven Jones wrote:
>> Hi,
>>
>> The first time missed the --win-subtree settings so I wiped the
>> admins in the IPA admin group and users as they were not in cn=users
>> as per the bug. The second time as far as I can tell I specified the
>> correct cn via win-subtree flag but I still appear to have lost the
>> users in IPA.....now I expected to lose the admins but the loss of
>> users as well confounds me.
>>
>> I did a ldapsearch as per checking and its seems to be saying the
>> right folder/ou/cn but IPA is empty.
>>
>> Hence I was wondering if there was a log recording what the update
>> was doing so I could try and figure out the mistake. Ive tried
>> greping cant find any indication.
>>
>> I will re-try with -v, verbose.
>
> It is not clear from the manuals, but no matter what -win-subtree you
> specify, winsync will search AD starting from the dc=domain suffix.
> So, for example, if you have
> cn=mystaff,cn=staff,dc=example,dc=com
> and you specify
> --win-subtree "cn=mystaff,cn=staff,dc=example,dc=com"
> winsync will still search starting from dc=example,dc=com and will hit
> ticket/355 if there are any users outside of
> cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a
> user in IPA.
>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ------------------------------------------------------------------------
>> *From:* Rich Megginson [rmeggins at redhat.com]
>> *Sent:* Tuesday, 18 September 2012 11:37 a.m.
>> *To:* Steven Jones
>> *Cc:* freeipa-users at redhat.com
>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>
>> On 09/17/2012 04:17 PM, Steven Jones wrote:
>>> Hi,
>>>
>>> I just tried to do a winsync agreement with specifying the AD point
>>> as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are
>>> not in the users folder but the VUW_Staff folder (at the same level)
>>> and it wiped all IPA users that are also in AD.
>>
>> Yes, this is what happens with https://fedorahosted.org/389/ticket/355
>> #355 winsync should not delete entry that appears to be out of scope
>>
>>> While doing the actual update does this get verbosly logged anywhere
>>> as opposed to "update in progress" dumped to the screen? Something
>>> went badly wrong, I just dont know what.
>>
>> You are seeing something different than #355?
>>
>>>
>>> :/
>>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120918/9f4c30f3/attachment.htm>
More information about the Freeipa-users
mailing list