On 09/10/2015 05:00 PM, Rob Crittenden wrote:
Martin Kosek wrote:Hmm, does this mean we need to update our HowTo on migrating FreeIPA to FreeIPA via migrate-ds? It is already quite long command, mostly due to the need of removing Kerberos attributes:I think it should. I haven't updated it because I never actually tested it to see that it worked as expected. It seems to be working for Andreas though. rob
It works for me. I have updated the page.
Martin On 09/09/2015 09:40 PM, Andreas Calminder wrote:Hi, I just wanted to post the solution for this, I've reported this to Redhat and a bug has been filed (https://bugzilla.redhat.com/1261536). The problem was that migrate-ds copied the attribute mepManagedEntry on migration, the suggested workaround, running migrate-ds with --user-ignore-attribute=mepManagedEntry --user-ignore-objectclass=mepOriginEntry worked like a charm (Thanks Rob!), deleting users in active directory doesn't break the winsync agreement and I'm able to delete migrated users directly in ipa. As mentioned in the bug comments, migrate-ds isn't really for ipa to ipa migration. However, it kind of worked... /andreas From: freeipa-devel-boun...@redhat.com [mailto:freeipa-devel-boun...@redhat.com] On Behalf Of Andreas Calminder Sent: den 9 september 2015 17:16 To: firstname.lastname@example.org Subject: Re: [Freeipa-devel] IPA 3.0 migrated to 4.1 users break winsync agreement when deleted in active directory Yes, kind of. I wanted a new environment with a proper certificate authority setup with only the old users and groups from the IPA 3.0 environment. The old environment use a self signed ca, I thought it would be easier to just migrate my users and groups. On 9 Sep 2015 4:49 pm, Rob Crittenden <rcrit...@redhat.com> wrote: Andreas Calminder wrote:Hi, thanks for your reply, I'm able to list the user with ldapsearch and I can't find any conflict entries described in the article. The 4.1 environment is only 1 server connected to active directory. Forgot to reply to the list before, doh! I've noticed a difference between users in 3.0 and 4.1 though, migrated users in the 4.1 does not have an entry in " cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld" while users in 3.0 have this. Example: FreeIPA 4.1 environment: # ldapsearch -xLLL -D "cn=directory manager" -W -b"cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld" Enter LDAP Password: No such object (32) Matched DN: cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld FreeIPA 3.0 environment: # ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=batman,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld" Enter LDAP Password: dn: cn=batman,cn=groups,cn=accounts,dc=dev,dc=sub,dc=domain,dc=tld objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top cn: batman gidNumber: 1486600065 description: User private group for batman mepManagedBy: uid=batman,cn=users,cn=accounts,dc=sub,dc=domain,dc=tld ipaUniqueID: 139f6140-5074-11e5-a09d-005056914c0cMigrated users don't get user-private groups created. Is there a reason you migrated from 3.0 to 4.1 rather than just adding a 4.1 master to the existing pool? rob/andreas On 09/09/2015 04:29 PM, Rich Megginson wrote:On 09/09/2015 03:39 AM, Martin Basti wrote:On 09/09/2015 10:50 AM, Andreas Calminder wrote:Forgot to write that deleting users in active directory not migrated with the migrate-ds command works fine, it's only migrated users present in the ad that breaks the winsync agreement on deletion. On 09/09/2015 10:35 AM, Andreas Calminder wrote:Hi, I've asked in #freeipa on freenode but to no avail, figured I'll ask here as well, since I think I've actually hit a bug or (quite) possibly I've done something moronic configuration/migration -wise. I've got an existing FreeIPA 3.0.0 environment running with a fully functioning winsync agreement and passsync service with the windows environments active directory, I'm trying to migrate the 3.0.0 environments users into a freshly installed 4.1 (rhel7) environment, after migration I setup a winsync agreement and make it bi-directional (one-way sync from windows) everything seems to be working alright until I delete a migrated user from the Active Directory, after the winsync picks up on the change it'll break and suggests a re-initialize. After the re-initialization the agreement seems to be fine, however the deleted user are still present in the ipa 4.1 environment and cannot be deleted. The webgui and ipa cli says: ipauser1: user not found. ipa user-find ipauser1 finds the user and it's visible in the ui. Anyone had the same problem or anything similar or any pointers on where to start looking? Regards, AndreasHello, this might be a replication conflict. Can you list that user via ldapsearch to check if this is replication conflict? https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.htmlUse the latest docs, just in case they are more accurate: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
-- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code