On 09/13/2012 05:11 PM, Steven Jones wrote:
So I have 6.3 and just lost all my IPA users.
In production or in a test environment?
So anyone on 6.2/6.3 until they upgrade after December's 6.4 could lose all
their IPA users if they do a winsync agreement and dont twig to that option
being essential if they dont have a std AD.
Please explain "std AD".
Not only that my admins are in a separate OU, so even if I had done a
--win-subtree=cn=staff_users admins being elsewhere would have gone bye bye
Let's say you have in AD
and in IPA
and you set up your winsync agreement as
That is, you want users in cn=Users,dc=example,dc=com to be in sync with
IPA uses a flat dit - users are grouped not by hierarchy but by
attributes, as opposed to AD which uses hierarchies for grouping. So
IPA "flattens" hierarchies when it syncs users from AD to DS.
Let's say you have
cn=jsmith,cn=Adminusers,dc=example,dc=com with samaccountname: jsmith
because of the way that winsync works, it will think because the AD
entry and the IPA have the same userid, they should be in sync - but
because cn=jsmith,cn=Adminusers,dc=example,dc=com is outside the scope
of cn=Users,dc=example,dc=com winsync will think that the user has moved
outside the scope of the agreement, and will delete the user. Obviously
it should not do that by default, hence
But why do you have users with the same userid in AD out of the scope of
the sync agreement with the same userid as an IPA user?
Luckily I hadnt disabled the admin account yet.....it was the only one left.
I guess this stuff is a lot more complex than it looks.
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
will be fixed in RHEL 6.4 - not sure what you mean by "RHEL6 production
Freeipa-users mailing list