Hi,

the following pair of patches fixes:

https://fedorahosted.org/freeipa/ticket/5162
From ab4f6e4ebdd91e9f57540acd11ecf0c13f1f2d81 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Mon, 17 Aug 2015 08:46:52 +0200
Subject: [PATCH] winsync-migrate: Add warning about passsync

https://fedorahosted.org/freeipa/ticket/5162
---
 ipaserver/install/ipa_winsync_migrate.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py
index 73f79249a1f6e3f0cefa347fa20d472b5723ed9e..097b8c806cfb4df2ea98db86da7b34d99176a9c4 100644
--- a/ipaserver/install/ipa_winsync_migrate.py
+++ b/ipaserver/install/ipa_winsync_migrate.py
@@ -302,6 +302,12 @@ class WinsyncMigrate(admintool.AdminTool):
             object_container_dn=DN(api.env.container_selinux, api.env.basedn),
         )
 
+    def warn_passsync(self):
+        self.log.warning("Migration completed. Please note that if PassSync "
+            "was configured on the given Active Directory server, "
+            "it needs to be manually removed, otherwise it may try "
+            "to reset password for accounts that are no longer existent.")
+
     @classmethod
     def main(cls, argv):
         """
@@ -343,3 +349,5 @@ class WinsyncMigrate(admintool.AdminTool):
             self.migrate_hbac_memberships(entry)
             self.migrate_selinux_memberships(entry)
             self.ldap.delete_entry(entry)
+
+        self.warn_passsync()
-- 
2.1.0

From 9a77a959fbe2886792821c315918244e12d13160 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Mon, 17 Aug 2015 08:46:20 +0200
Subject: [PATCH] winsync-migrate: Expand the man page

https://fedorahosted.org/freeipa/ticket/5162
---
 install/tools/man/ipa-winsync-migrate.1 | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/install/tools/man/ipa-winsync-migrate.1 b/install/tools/man/ipa-winsync-migrate.1
index a1e01c83da6017d5cbe10297dbe84a4dd1741ec7..88702bad6fca66206dcbc1a90fce495eb33598fb 100644
--- a/install/tools/man/ipa-winsync-migrate.1
+++ b/install/tools/man/ipa-winsync-migrate.1
@@ -16,7 +16,7 @@
 .\"
 .\" Author: Tomas Babej <tba...@redhat.com>
 .\"
-.TH "ipa-advise" "1" "Mar 10 2015" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-winsync-migrate" "1" "Mar 10 2015" "FreeIPA" "FreeIPA Manual Pages"
 .SH "NAME"
 ipa\-winsync\-migrate \- Seamless migration of AD users created by winsync to native AD users.
 .SH "SYNOPSIS"
@@ -25,3 +25,28 @@ ipa\-winsync\-migrate
 Migrates AD users created by winsync agreement to ID overrides in
 the Default Trust View, thus preserving the actual POSIX attributes
 already established.
+
+Prior to the actual migration, the winsync replication agreement
+will be removed to protect the removal of the user accounts
+on the Active Directory side.
+
+During the migration, group, assigned roles, HBAC rules and SELinux
+memberships of the synced users will be preserved. Any local copies
+(created by winsync) of the migrated users will be removed.
+
+.SH "WARNINGS"
+After the migration, any PassSync agreements need to be removed
+from Active Directory Domain Controllers, otherwise they might
+attempt to update passwords for accounts that no longer exist
+on the IPA server.
+
+.SH "OPTIONS"
+.TP
+\fB\-\-realm\fR
+The Active Directory realm the winsynced users belong to.
+.TP
+\fB\-\-server\fR
+The hostname of Active Directory Domain Controller the winsync replication agreement is established with.
+.TP
+\fB\-\-unattended\fR
+Never prompts for user input.
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to