Miguel Angel Coa M. wrote:
> Hi Rob,
> CN=LAB is a group entry and inside i've a few members
> 
> [.................]
> # LAB, Users, example2.com <http://example2.com>
> dn: CN=LAB,CN=Users,DC=example2,DC=com
> objectClass: top
> objectClass: group
> cn: LAB
> description: Usuario de grupo LAB
> member: CN=winuser64,CN=Users,DC=example2,DC=com
> member: CN=winuserlab2 userlab2,OU=Test,DC=example2,DC=com
> member: CN=winuser40 winuser40,OU=Test,DC=example2,DC=com
> member: CN=winuserlab1 userlab1,OU=Test,DC=example2,DC=com
> distinguishedName: CN=LAB,CN=Users,DC=example2,DC=com
> instanceType: 4
> whenCreated: 20171023203927.0Z
> whenChanged: 20171024203108.0Z
> uSNCreated: 49193
> uSNChanged: 61493
> name: LAB
> objectGUID:: gQBcEwVqHU+L3DmmZPVFFw==
> objectSid:: AQUAAAAAAAUVAAAAguTkYzspTdFQ0vfEWwQAAA==
> sAMAccountName: LAB
> sAMAccountType: 268435456
> groupType: -2147483640
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example2,DC=com
> dSCorePropagationData: 16010101000000.0Z

That's why. winsync syncs against a subtree, not members of a group.

rob

> [.................]
> 
> 
> Regards.
> 
> 
> 
> 
> Saludos.
> ---
> Miguel Coa M.
> 
> 2017-10-25 17:28 GMT-03:00 Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>>:
> 
>     Miguel Angel Coa M. via FreeIPA-users wrote:
>     > Hello Everyone,
>     > I've setting IPA server connect with AD (Windows Server 2012R2) and work
>     > fine, but i need change the sub-tree for user sync and this step fail
>     > (not sync anything) .
>     > For example, when i sync against the default base is ok
>     >
>     > [.................]
>     > CN=Users,DC=example2,dc=com
>     > [.................]
>     >
>     > [.................]
>     > nsds7WindowsReplicaSubtree: CN=Users,DC=example2,DC=com
>     > [.................]
>     >
>     >
>     > But i try change the base and does not sync anything
>     >
>     > [.................]
>     > CN=LAB,CN=Users,DC=example2,dc=com
>     > [.................]
>     >
>     > When the LAB is AD group. ┬┐is possible sync against AD group?
> 
>     IIRC winsync looks for entries that match objectclass=ntuser. I CN=LAB
>     literally a group entry or a subtree?
> 
>     rob
> 
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to