On 09/13/2012 05:11 PM, Steven Jones wrote:

So I have 6.3 and just lost all my IPA users.
In production or in a test environment?
So anyone on 6.2/6.3 until they upgrade after December's 6.4 could lose all 
their IPA users if they do a winsync agreement and dont twig to that option 
being essential if they dont have a std AD.
Please explain "std AD".
Not only that my admins are in a separate OU, so even if I had done a 
--win-subtree=cn=staff_users admins being elsewhere would have gone bye bye 
Let's say you have in AD

and in IPA

and you set up your winsync agreement as

nsds7WindowsReplicaSubtree: cn=Users,dc=example,dc=com
nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=example,dc=com

That is, you want users in cn=Users,dc=example,dc=com to be in sync with cn=users,cn=accounts,dc=example,dc=com

IPA uses a flat dit - users are grouped not by hierarchy but by attributes, as opposed to AD which uses hierarchies for grouping. So IPA "flattens" hierarchies when it syncs users from AD to DS.

Let's say you have
cn=jsmith,cn=Adminusers,dc=example,dc=com with samaccountname: jsmith

because of the way that winsync works, it will think because the AD entry and the IPA have the same userid, they should be in sync - but because cn=jsmith,cn=Adminusers,dc=example,dc=com is outside the scope of cn=Users,dc=example,dc=com winsync will think that the user has moved outside the scope of the agreement, and will delete the user. Obviously it should not do that by default, hence https://fedorahosted.org/389/ticket/355

But why do you have users with the same userid in AD out of the scope of the sync agreement with the same userid as an IPA user?

Luckily I hadnt disabled the admin account yet.....it was the only one left.

I guess this stuff is a lot more complex than it looks.



Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

will be fixed in RHEL 6.4 - not sure what you mean by "RHEL6 production

Freeipa-users mailing list

Reply via email to