Hi, the following pair of patches fixes:
https://fedorahosted.org/freeipa/ticket/5162
From ab4f6e4ebdd91e9f57540acd11ecf0c13f1f2d81 Mon Sep 17 00:00:00 2001 From: Tomas Babej <[email protected]> Date: Mon, 17 Aug 2015 08:46:52 +0200 Subject: [PATCH] winsync-migrate: Add warning about passsync https://fedorahosted.org/freeipa/ticket/5162 --- ipaserver/install/ipa_winsync_migrate.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py index 73f79249a1f6e3f0cefa347fa20d472b5723ed9e..097b8c806cfb4df2ea98db86da7b34d99176a9c4 100644 --- a/ipaserver/install/ipa_winsync_migrate.py +++ b/ipaserver/install/ipa_winsync_migrate.py @@ -302,6 +302,12 @@ class WinsyncMigrate(admintool.AdminTool): object_container_dn=DN(api.env.container_selinux, api.env.basedn), ) + def warn_passsync(self): + self.log.warning("Migration completed. Please note that if PassSync " + "was configured on the given Active Directory server, " + "it needs to be manually removed, otherwise it may try " + "to reset password for accounts that are no longer existent.") + @classmethod def main(cls, argv): """ @@ -343,3 +349,5 @@ class WinsyncMigrate(admintool.AdminTool): self.migrate_hbac_memberships(entry) self.migrate_selinux_memberships(entry) self.ldap.delete_entry(entry) + + self.warn_passsync() -- 2.1.0
From 9a77a959fbe2886792821c315918244e12d13160 Mon Sep 17 00:00:00 2001 From: Tomas Babej <[email protected]> Date: Mon, 17 Aug 2015 08:46:20 +0200 Subject: [PATCH] winsync-migrate: Expand the man page https://fedorahosted.org/freeipa/ticket/5162 --- install/tools/man/ipa-winsync-migrate.1 | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/install/tools/man/ipa-winsync-migrate.1 b/install/tools/man/ipa-winsync-migrate.1 index a1e01c83da6017d5cbe10297dbe84a4dd1741ec7..88702bad6fca66206dcbc1a90fce495eb33598fb 100644 --- a/install/tools/man/ipa-winsync-migrate.1 +++ b/install/tools/man/ipa-winsync-migrate.1 @@ -16,7 +16,7 @@ .\" .\" Author: Tomas Babej <[email protected]> .\" -.TH "ipa-advise" "1" "Mar 10 2015" "FreeIPA" "FreeIPA Manual Pages" +.TH "ipa-winsync-migrate" "1" "Mar 10 2015" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-winsync\-migrate \- Seamless migration of AD users created by winsync to native AD users. .SH "SYNOPSIS" @@ -25,3 +25,28 @@ ipa\-winsync\-migrate Migrates AD users created by winsync agreement to ID overrides in the Default Trust View, thus preserving the actual POSIX attributes already established. + +Prior to the actual migration, the winsync replication agreement +will be removed to protect the removal of the user accounts +on the Active Directory side. + +During the migration, group, assigned roles, HBAC rules and SELinux +memberships of the synced users will be preserved. Any local copies +(created by winsync) of the migrated users will be removed. + +.SH "WARNINGS" +After the migration, any PassSync agreements need to be removed +from Active Directory Domain Controllers, otherwise they might +attempt to update passwords for accounts that no longer exist +on the IPA server. + +.SH "OPTIONS" +.TP +\fB\-\-realm\fR +The Active Directory realm the winsynced users belong to. +.TP +\fB\-\-server\fR +The hostname of Active Directory Domain Controller the winsync replication agreement is established with. +.TP +\fB\-\-unattended\fR +Never prompts for user input. -- 2.1.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
