I just wanted to post the solution for this, I've reported this to Redhat and a 
bug has been filed (https://bugzilla.redhat.com/1261536). The problem was that 
migrate-ds copied the attribute mepManagedEntry on migration, the suggested 
workaround, running migrate-ds with --user-ignore-attribute=mepManagedEntry 
--user-ignore-objectclass=mepOriginEntry worked like a charm (Thanks Rob!), 
deleting users in active directory doesn't break the winsync agreement and I'm 
able to delete migrated users directly in ipa. As mentioned in the bug 
comments, migrate-ds isn't really for ipa to ipa migration. However, it kind of 


From: freeipa-devel-boun...@redhat.com 
[mailto:freeipa-devel-boun...@redhat.com] On Behalf Of Andreas Calminder
Sent: den 9 september 2015 17:16
To: freeipa-devel@redhat.com
Subject: Re: [Freeipa-devel] IPA 3.0 migrated to 4.1 users break winsync 
agreement when deleted in active directory

Yes, kind of. I wanted a new environment with a proper certificate authority 
setup with only the old users and groups from the IPA 3.0 environment. The old 
environment use a self signed ca, I thought it would be easier to just migrate 
my users and groups.
On 9 Sep 2015 4:49 pm, Rob Crittenden <rcrit...@redhat.com> wrote:
Andreas Calminder wrote:
> Hi,
> thanks for your reply, I'm able to list the user with ldapsearch and I
> can't find any conflict entries described in the article. The 4.1
> environment is only 1 server connected to active directory. Forgot to
> reply to the list before, doh!
> I've noticed a difference between users in 3.0 and 4.1 though, migrated
> users in the 4.1 does not have an entry in "
> cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld" while users in 3.0 have this.
> Example:
> FreeIPA 4.1 environment:
> # ldapsearch -xLLL -D "cn=directory manager" -W
> -b"cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
> Enter LDAP Password:
> No such object (32) Matched DN:
> cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld
> FreeIPA 3.0 environment:
> # ldapsearch -xLLL -D "cn=directory manager" -W -b
> "cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld"
> Enter LDAP Password:
> dn: cn=batman,cn=groups,cn=accounts,dc=dev,dc=sub,dc=domain,dc=tld
> objectClass: posixgroup
> objectClass: ipaobject
> objectClass: mepManagedEntry
> objectClass: top
> cn: batman
> gidNumber: 1486600065
> description: User private group for batman
> mepManagedBy: uid=batman,cn=users,cn=accounts,dc=sub,dc=domain,dc=tld
> ipaUniqueID: 139f6140-5074-11e5-a09d-005056914c0c

Migrated users don't get user-private groups created.

Is there a reason you migrated from 3.0 to 4.1 rather than just adding a
4.1 master to the existing pool?


> /andreas
> On 09/09/2015 04:29 PM, Rich Megginson wrote:
>> On 09/09/2015 03:39 AM, Martin Basti wrote:
>>> On 09/09/2015 10:50 AM, Andreas Calminder wrote:
>>>> Forgot to write that deleting users in active directory not migrated
>>>> with the migrate-ds command works fine, it's only migrated users
>>>> present in the ad that breaks the winsync agreement on deletion.
>>>> On 09/09/2015 10:35 AM, Andreas Calminder wrote:
>>>>> Hi,
>>>>> I've asked in #freeipa on freenode but to no avail, figured I'll
>>>>> ask here as well, since I think I've actually hit a bug or (quite)
>>>>> possibly I've done something moronic configuration/migration -wise.
>>>>> I've got an existing FreeIPA 3.0.0 environment running with a fully
>>>>> functioning winsync agreement and passsync service with the windows
>>>>> environments active directory, I'm trying to migrate the 3.0.0
>>>>> environments users into a freshly installed 4.1 (rhel7)
>>>>> environment, after migration I setup a winsync agreement and make
>>>>> it bi-directional  (one-way sync from windows) everything seems to
>>>>> be working alright until I delete a migrated user from the Active
>>>>> Directory, after the winsync picks up on the change it'll break and
>>>>> suggests a re-initialize. After the re-initialization the agreement
>>>>> seems to be fine, however the deleted user are still present in the
>>>>> ipa 4.1 environment and cannot be deleted. The webgui and ipa cli
>>>>> says: ipauser1: user not found. ipa user-find ipauser1 finds the
>>>>> user and it's visible in the ui.
>>>>> Anyone had the same problem or anything similar or any pointers on
>>>>> where to start looking?
>>>>> Regards,
>>>>> Andreas
>>> Hello, this might be a replication conflict.
>>> Can you list that user via ldapsearch to check if this is replication
>>> conflict?
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
>> Use the latest docs, just in case they are more accurate:
>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to