On 09/13/2012 02:39 PM, Steven Jones wrote:

why are legit users including those in the admin group "out of scope"?

They are out of scope of the winsync agreement.

Let's say you have in AD

and in IPA

and you set up your winsync agreement as

nsds7WindowsReplicaSubtree: cn=Users,dc=example,dc=com
nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=example,dc=com

That is, you want users in cn=Users,dc=example,dc=com to be in sync with cn=users,cn=accounts,dc=example,dc=com

IPA uses a flat dit - users are grouped not by hierarchy but by attributes, as opposed to AD which uses hierarchies for grouping. So IPA "flattens" hierarchies when it syncs users from AD to DS.

Let's say you have
cn=jsmith,cn=Adminusers,dc=example,dc=com with samaccountname: jsmith

because of the way that winsync works, it will think because the AD entry and the IPA have the same userid, they should be in sync - but because cn=jsmith,cn=Adminusers,dc=example,dc=com is outside the scope of cn=Users,dc=example,dc=com winsync will think that the user has moved outside the scope of the agreement, and will delete the user. Obviously it should not do that by default, hence https://fedorahosted.org/389/ticket/355

But why do you have users with the same userid in AD out of the scope of the sync agreement with the same userid as an IPA user?

and how do I put legit users in scope?

and why doesnt the winsync doc section at least comment (obviously) that I have 
to change scopes?
"change scopes"?
kind of bad news when I lose all my users.......


Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

From: Rob Crittenden [rcrit...@redhat.com]
Sent: Friday, 14 September 2012 12:30 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement

Steven Jones wrote:
I just setup a winsync agreement expect its wiped any IPA user that also
exists in AD.

Is this expected? if so how do I stop it doing that?
The 389-ds winsync plugin is deleting entries that appear to be out of


Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to