Following the document here: https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-sync-agmt.html#tab.sync-agmt-attrs
All users who's Active Directory samAccountName matched FreeIPA Uid's had their FreeIPA Uid's and Kerberos Principals deleted...
I double-checked /var/log/slapd-INSTANCE/audit and I can confirm that I see the MemberOf plugin Deleting the users from their previously associated Groups, but I DO NOT see any logs clearly showing the WinSync plugin deleting them. Ldap searches confirm that the users no longer exist in LDAP OR Kerberos...
Package Versions: freeipa-server-selinux-2.1.90.rc1-0.fc16.x86_64 freeipa-server-2.1.90.rc1-0.fc16.x86_64 freeipa-admintools-2.1.90.rc1-0.fc16.x86_64 freeipa-client-2.1.90.rc1-0.fc16.x86_64 freeipa-python-2.1.90.rc1-0.fc16.x86_64 389-ds-base-libs-1.2.10.6-1.fc16.x86_64 389-ds-base-1.2.10.6-1.fc16.x86_64
attachment errors
I've been trying to reproduce - this is what I've done
after it completes, all users are as they should be - not really sure what to do at this point - can one of you guys run the server in gdb and reproduce the problem?
What is the newest 389-ds-base 1.2.10? Mine is listed as .6-1? or Perhaps we have different things in our agreements?
How did you setup the Agreement and what steps did you do to update?
I did:
Then:
$ ldapmodify -x -D "cn=directory manager" -w password
dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify replace: nsds7WindowsReplicaSubtree nsds7WindowsReplicaSubtree: CN=People,DC=example,DC=com
modifying entry "cn=ipa-winsync,cn=plugins,cn=config"
And finally:
I am not using IPA at all - just trying with plain old 389 + the ipa winsync plugin.
Can you attach the output of
ldapsearch -x -D "cn=directory manager" -W -b cn=config objectclass=nsDSWindowsReplicationAgreement
and
ldapsearch -x -D "cn=directory manager" -W -b cn=config "cn=ipa-winsync"
?
attachment winsync-search.ldif
attachment config-search.ldif
still cannot reproduce - steps
Afterwards, ipa find-user and ldapsearch found all 3 users in IPA
Deleted the users from AD, waited a few minutes, users were deleted from IPA
Readded the users to IPA and AD, ran a re-initialize
found all 3 users in IPA
So I'm not really sure what to do at this point - I cannot reproduce the problem
This was related to the fact that JR was changing the subtree after the agreement was set up. winsync wasn't seeing the entries in scope so was deleting them on the ipa side. When I had duplicated it I had passed --subtree and perhaps I pointed to the wrong location.
This will be addressed in 389-ds-base in ticket https://fedorahosted.org/389/ticket/355
The most we'll need to do on the ipa side is set the n-v-r of 389-ds-base.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=824073
Currently targeted for 389-ds-base 1.3, moving to the 3.1 release.
This ticket is now superseded by #2927.
Replying to [comment:3 jraquino]:
What is the newest 389-ds-base 1.2.10? Mine is listed as .6-1? or Perhaps we have different things in our agreements? How did you setup the Agreement and what steps did you do to update? I did: ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw Windows-secret --passsync secretpwd --cacert /etc/openldap/cacerts/windows.cer adserver.example.com -v
Ok. This creates the windows sync agreement entry e.g.
dn: cn=WSA,cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config nsds7WindowsReplicaSubtree: cn=users,dc=example,dc=com nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=example,dc=com
For the windows subtree, it takes the first namingContexts value from the AD root DSE "".
Then: $ ldapmodify -x -D "cn=directory manager" -w password dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify replace: nsds7WindowsReplicaSubtree nsds7WindowsReplicaSubtree: CN=People,DC=example,DC=com modifying entry "cn=ipa-winsync,cn=plugins,cn=config"
This would have done nothing (or given an error). I think you meant the replication agreement entry e.g.
dn: cn=WSA,cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify replace: nsds7WindowsReplicaSubtree nsds7WindowsReplicaSubtree: CN=People,DC=example,DC=com
correct?
So under cn=Users and cn=People in AD, you have users that have userids that correspond to userids under cn=users,cn=accounts in IPA. And when you did the force-sync, was it the userids from cn=Users or cn=People that were deleted from IPA?
This is what is happening:
So there are really two bugs here: 1) improper handling of subtree change during init/update 2) should not delete entries
I think what should happen is that, if there is an update in progress, the init/update should complete with the original subtree, and store any subsequent subtree changes to be applied after the init/update is complete. And entries should only be deleted if actually deleted by a delete operation.
It seems that related ticket is closed. Can we close this one too? See #2927
Confirmed dup of #2927
Rename component.
Metadata Update from @jraquino: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0.1 (bug fixing)
Login to comment on this ticket.