On 09/14/2012 09:20 AM, Dmitri Pal wrote:
On 09/13/2012 08:10 PM, Steven Jones wrote:
Are there corresponding users in IPA where the IPA uid is the same as
the AD samaccountname of a user in the admin subtree?

I think the answer to that is yes.

"admin-steven" in IPA  also exists in AD as "admin-steven".   So if I had set 
the two to different names the one in IPA  would  not have been wiped in IPA.

So now that we understand the crux of the problem, Steven can you advise
us on what we should have said and where (in docs or somewhere else)
about this logic.
Keep in mind that winsync is based on DS sync and we did not have this
problem in DS in the past.
Right. It was a bug introduced into the winsync code around 1.2.9 or so, when we changed winsync to support entry move and subtree rename. We mistakenly thought that this particular section of code would only apply when an entry was moved from within the sync subtree to outside of the sync subtree, in which case it seemed logical at the time to delete the DS entry. The code has been changed in to do one of 3 things in this case 1) do nothing 2) delete the entry 3) unsync the entry.

With IPA we have a flat tree but same problem can be faced in pure 389 DS.

I hope you realize that we did not do it on purpose. We definitely did
not realize that anyone would be manually creating users with the same
names. From the point of the sync algorithm it made sense to do what we
have implemented as it seemed logical. JR faced this issue and filed a
bug. We agreed with it but we still thought that it is a fairly corner
case, this is why we did not file an errata or anything like.
Right.  This case is caused when you have in AD
dn: cn=Steve Jones,cn=Users,dc=example,dc=com
samaccountname: sjones
dn: cn=Steve Jones,cn=AdminUsers,dc=example,dc=com
samaccountname: sjones

We didn't think at the time that it made sense to do something like this, since the username is usually supposed to be unique within a domain - why would you have two user entries with the same username?

However this is not the point. Back to my question. How could we
prevented this problem for you to make an informed decision and not do
what you have done? Also realistically do you think it should be an
errata? Doing an errata comes with a cost and the cost will be the
features and bug fixes from the later version. Sometimes the errata is
absolutely necessary but is it necessary now?


Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to