[Freeipa-users] winsync agreement transferred users not going into ipausers and existing users dropped from all their groups

Rich Megginson rmeggins at redhat.com
Thu Sep 27 21:03:06 UTC 2012 

On 09/27/2012 02:57 PM, Steven Jones wrote:
> Hi,
>
> Yes existing IPA users....all users that are in AD lose ipausers AND any IPA user groups they were assigned to in IPA before the winsync takes place.
>
> So to be clear (I hope),
>
> After the winsync any IPA user NOT in AD stays in ipausers and their assigned IPA groups and works normally.
>
> After the winsync any pre-sync user in IPA and AD loses ALL IPA user group membership not just ipauser....and is not working.

Ok.  This is a new issue.

>
> After the winsync any user not until then in IPA but synced over from AD does not end up in ipausers (which was my understanding what was meant to happen).  That actually is no biggee...
Right, this is https://fedorahosted.org/freeipa/ticket/2324
>
> So I lost 80% of my user setup, its a lot bigger issue than "not added to ipauser" group.
>
> :(
>
> Fortunately its a cloned virtual test bed....and not production.....ouch...
>
> This and not bringing over all users because the user can have a sub-folder for mobile phone sync so gets wiped by the previous bug we discussed are total show stoppers for our IPA and RHEL desktop deployment,
This is a new one, perhaps I missed it.  If an AD user has a sub-folder, 
that user is not synced to IPA, and due to #355     winsync should not 
delete entry that appears to be out of scope it then is deleted from IPA?

In this case, should winsync sync the sub-folder, or ignore it, and just 
sync the user entry?
>
> Which seems to imply not this year?
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: Rich Megginson [rmeggins at redhat.com]
> Sent: Friday, 28 September 2012 4:08 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] winsync agreement transferred users not going into ipausers and existing users dropped from all their groups
>
> On 09/26/2012 03:17 PM, Steven Jones wrote:
>> Is this expected?
> Ticket #2324 AD Users synced to IPA server are not added to "ipausers" group
> https://fedorahosted.org/freeipa/ticket/2324
>
> By "existing users" do you mean existing users in IPA?  Are these users
> synced with entries in AD?
>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list