System randomly fails adding a new ipa user to the defined ipa primary group
"ipadefaultprimarygroup"

I typically add 1000 users into 10 different user groups for a total of 10,000
users. For each group of 1000 users I set the ipa defult primary group to which
the users to beong.  Random users typically 2-3 per 1000 users do not get added
to the default primary group.  The script sets the defualt ipa primary group
then starts 4 threads to add the 1000 users.  Below is the user-find results of
users added in this group of 1000.  The python script that adds the users
starts 4 threads, reads of a queue and calls user-add cli.  All the users get
created all the time, just somtimes not part of the defalt primary group.  The
user below uid=rh_ipa_user1000 which is not in the primary group ends up in
nobodys group, not even the ipauser group...

Test Env:
2 Ipa Masters
2 Ipa Clients

What was Active:
-2 UI were currently up, mo load applied via the Ipa UI

Version-Release number of selected component (if applicable):
ipa-server-2.2.0-16.el6.x86_64
389-ds-base-1.2.10.2-19.el6_3.x86_64

How reproducible: Yes
1. create 10 new groups
2. Set the defualt primary group via the CLI to one of the 10 groups just
created
3. Add 1k users, I run a python script simulating 4 admin threads concurrently
4. use the ui to determine the number of users in the group
5. continue to step 2


Additional info:

[root@sti-high-1 httpd]# ipa user-find --login rh_ipa_user1000 --all
--------------
1 user matched
--------------
  dn: uid=rh_ipa_user1000,cn=users,cn=accounts,dc=testrelm,dc=com
  User login: rh_ipa_user1000
  First name: First
  Last name: Last
  Full name: First Last
  Display name: First Last
  Initials: FL
  Home directory: /home/rh_ipa_user1000
  GECOS field: First Last
  Login shell: /bin/sh
  Kerberos principal: rh_ipa_user1000@TESTRELM.COM
  UID: 1677401012
  GID: 1677401012
  Account disabled: False
  Password: True
  Kerberos keys available: True
  ipauniqueid: 9a475904-f128-11e1-bf38-782bcb785283
  krbextradata: AAJg8jxQa2FkbWluZEBURVNUUkVMTS5DT00A
  krblastpwdchange: 20120828163128Z
  krbpasswordexpiration: 20121126163128Z
  krbpwdpolicyreference:
cn=global_policy,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com
  krbticketflags: 128
  mepmanagedentry: cn=rh_ipa_user1000,cn=groups,cn=accounts,dc=testrelm,dc=com
  objectclass: top, person, organizationalperson, inetorgperson, inetuser,
posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser,
ipaSshGroupOfPubKeys, mepOriginEntry
----------------------------
Number of entries returned 1


[root@sti-high-1 httpd]# ipa user-find --login rh_ipa_user1500 --all
--------------
1 user matched
--------------
  dn: uid=rh_ipa_user1500,cn=users,cn=accounts,dc=testrelm,dc=com
  User login: rh_ipa_user1500
  First name: First
  Last name: Last
  Full name: First Last
  Display name: First Last
  Initials: FL
  Home directory: /home/rh_ipa_user1500
  GECOS field: First Last
  Login shell: /bin/sh
  Kerberos principal: rh_ipa_user1500@TESTRELM.COM
  UID: 1677401512
  GID: 1677401512
  Account disabled: False
  Password: True
  Member of groups: g2_qualityengineering
  Indirect Member of Sudo rule: allowsudorule1
  Kerberos keys available: True
  ipauniqueid: 0c58f050-f12b-11e1-9945-782bcb785283
  krbextradata: AALD8jxQa2FkbWluZEBURVNUUkVMTS5DT00A
  krblastpwdchange: 20120828163307Z
  krbpasswordexpiration: 20121126163307Z
  krbpwdpolicyreference:
cn=global_policy,cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com
  krbticketflags: 128
  mepmanagedentry: cn=rh_ipa_user1500,cn=groups,cn=accounts,dc=testrelm,dc=com
  objectclass: top, person, organizationalperson, inetorgperson, inetuser,
posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser,
ipaSshGroupOfPubKeys, mepOriginEntry
----------------------------
Number of entries returned 1
----------------------------

Atachment show 2 ldif export of users, one added the other not for
comparisons...