Yes, kind of. I wanted a new environment with a proper certificate authority setup with only the old users and groups from the IPA 3.0 environment. The old environment use a self signed ca, I thought it would be easier to just migrate my users and groups.
On 9 Sep 2015 4:49 pm, Rob Crittenden <rcrit...@redhat.com> wrote: Andreas Calminder wrote: > Hi, > thanks for your reply, I'm able to list the user with ldapsearch and I > can't find any conflict entries described in the article. The 4.1 > environment is only 1 server connected to active directory. Forgot to > reply to the list before, doh! > > I've noticed a difference between users in 3.0 and 4.1 though, migrated > users in the 4.1 does not have an entry in " > cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld" while users in 3.0 have this. > Example: > > FreeIPA 4.1 environment: > # ldapsearch -xLLL -D "cn=directory manager" -W > -b"cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld" > Enter LDAP Password: > No such object (32) Matched DN: > cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld > > FreeIPA 3.0 environment: > # ldapsearch -xLLL -D "cn=directory manager" -W -b > "cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld" > Enter LDAP Password: > dn: cn=batman,cn=groups,cn=accounts,dc=dev,dc=sub,dc=domain,dc=tld > objectClass: posixgroup > objectClass: ipaobject > objectClass: mepManagedEntry > objectClass: top > cn: batman > gidNumber: 1486600065 > description: User private group for batman > mepManagedBy: uid=batman,cn=users,cn=accounts,dc=sub,dc=domain,dc=tld > ipaUniqueID: 139f6140-5074-11e5-a09d-005056914c0c Migrated users don't get user-private groups created. Is there a reason you migrated from 3.0 to 4.1 rather than just adding a 4.1 master to the existing pool? rob > > /andreas > > On 09/09/2015 04:29 PM, Rich Megginson wrote: >> On 09/09/2015 03:39 AM, Martin Basti wrote: >>> >>> >>> On 09/09/2015 10:50 AM, Andreas Calminder wrote: >>>> Forgot to write that deleting users in active directory not migrated >>>> with the migrate-ds command works fine, it's only migrated users >>>> present in the ad that breaks the winsync agreement on deletion. >>>> >>>> On 09/09/2015 10:35 AM, Andreas Calminder wrote: >>>>> Hi, >>>>> I've asked in #freeipa on freenode but to no avail, figured I'll >>>>> ask here as well, since I think I've actually hit a bug or (quite) >>>>> possibly I've done something moronic configuration/migration -wise. >>>>> >>>>> I've got an existing FreeIPA 3.0.0 environment running with a fully >>>>> functioning winsync agreement and passsync service with the windows >>>>> environments active directory, I'm trying to migrate the 3.0.0 >>>>> environments users into a freshly installed 4.1 (rhel7) >>>>> environment, after migration I setup a winsync agreement and make >>>>> it bi-directional (one-way sync from windows) everything seems to >>>>> be working alright until I delete a migrated user from the Active >>>>> Directory, after the winsync picks up on the change it'll break and >>>>> suggests a re-initialize. After the re-initialization the agreement >>>>> seems to be fine, however the deleted user are still present in the >>>>> ipa 4.1 environment and cannot be deleted. The webgui and ipa cli >>>>> says: ipauser1: user not found. ipa user-find ipauser1 finds the >>>>> user and it's visible in the ui. >>>>> >>>>> Anyone had the same problem or anything similar or any pointers on >>>>> where to start looking? >>>>> >>>>> Regards, >>>>> Andreas >>>>> >>>> >>> >>> Hello, this might be a replication conflict. >>> >>> Can you list that user via ldapsearch to check if this is replication >>> conflict? >>> >>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html >>> >>> >> Use the latest docs, just in case they are more accurate: >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html >> >> > > >
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code