Bug 1204205

Summary: [RFE] ID Views: Automated migration tool from Winsync to Trusts
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: medium    
Version: 7.0CC: jcholast, lmiksik, mkosek, rcritten, sumenon, tbabej
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-12.el7 Doc Type: Release Note
Doc Text:
Automated migration from WinSync to trusts now supported The new "ipa-winsync-migrate" utility enables seamless migration from synchronization-based integration using WinSync to integration based on Active Directory (AD) trust. The utility automatically migrates all users synchronized using WinSync from a specified AD forest. Previously, migration from synchronization to trust could only be performed manually using ID views. For more information about "ipa-winsync-migrate", see the ipa-winsync-migrate(1) man page.
 Story Points: ---
Clone Of:
: 1246518 (view as bug list) Environment:
Last Closed: 2015-11-19 12:02:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1181710    
Attachments:
Description Flags
Logs displayed on console when ipa-winsync-migrate is run.
none
httpd error logs
none
dirsrv logs
none
Screenshot UI displaying users left post winsync migrate
none
Console Output
none
Console Logs none

Description Martin Kosek 2015-03-20 15:25:51 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4524

One of the major use cases for ID Views is migration from sync solution (winsync based), where users get UIDs and GIDs assigned by FreeIPA - see #3318.

In the migration procedure, admin needs to create a ''idoverride'' for each such group and user in the default view, and then delete the original synced user/group entry.

There should be a command or a a separate tool to convert the synced users to idoverride objects in the default view.
Comment 1 Tomas Babej 2015-07-02 11:25:41 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/0cb87fc31ae5babb9331ed81d8d743bcc5bb1c92
https://fedorahosted.org/freeipa/changeset/4c6ff801405de9bcc9175e1687a91ff55143d9b3
https://fedorahosted.org/freeipa/changeset/2104e07fa82dc599fe81cea822dfa8b060cc91cc
https://fedorahosted.org/freeipa/changeset/e7d7f01d5ffbb8d3c5d5e882ca19b7b9fe96aa7c
https://fedorahosted.org/freeipa/changeset/cf61e2ad94f0e2f822f203291e5adc5882f55e77
https://fedorahosted.org/freeipa/changeset/69c6a332168be5c98a3edd18d88bac3750081bb0
https://fedorahosted.org/freeipa/changeset/e6a2a67d7a3144bd012a726fc244bbc0f201cfe9
https://fedorahosted.org/freeipa/changeset/0e11a87090f46695024a67eed58dbb5aaa7be9a3
https://fedorahosted.org/freeipa/changeset/bff7a748d622a174a6023b32b5b13ed8b53975dc
https://fedorahosted.org/freeipa/changeset/d584eb700111bb57f6d10018f4b56d6f10a96d21
https://fedorahosted.org/freeipa/changeset/7017d9e8a64d7974cbe61c82885256a75a9c2cd7
https://fedorahosted.org/freeipa/changeset/e9a3b997176814f890ad90c69a6c14966a24d43f
https://fedorahosted.org/freeipa/changeset/19d62e9aa4315c8afed687412f4737794d39cec0
https://fedorahosted.org/freeipa/changeset/f8d1458fdaedeefac77045d043a0dd5cb9331163
https://fedorahosted.org/freeipa/changeset/646253044028b86291430680981a40bef2bff1e6
https://fedorahosted.org/freeipa/changeset/199358112eb1fe2da61de42c207396646067cb87
https://fedorahosted.org/freeipa/changeset/e5fe79a0f427c117a6ecd8f7870cb43eb5be0c84
https://fedorahosted.org/freeipa/changeset/8d30feb5391026a42a2f8da5df8d539311963b86
Comment 9 Sudhir Menon 2015-09-22 15:13:02 UTC 
Created attachment 1075880 [details]
Logs displayed on console when ipa-winsync-migrate is run.
Comment 10 Sudhir Menon 2015-09-22 15:14:40 UTC 
Created attachment 1075881 [details]
httpd error logs
Comment 11 Sudhir Menon 2015-09-22 15:15:40 UTC 
Created attachment 1075882 [details]
dirsrv logs
Comment 12 Sudhir Menon 2015-09-22 15:17:35 UTC 
Created attachment 1075883 [details]
Screenshot UI displaying users left post winsync migrate
Comment 13 Sudhir Menon 2015-09-22 15:20:29 UTC 
Tomas,

1. ID overrides have not been created

[root@ipa01 ~]# ipa idoverrideuser-find "Default Trust View"
---------------------------
0 User ID overrides matched
---------------------------
----------------------------
Number of entries returned 0
----------------------------

2. Attached all the logs for your reference.
Comment 14 Tomas Babej 2015-09-22 15:25:09 UTC 
Thanks, from the logs I can see there are several issues going on:

1. Several users have not been able to be resolved, that's why they have not been migrated:

WARNING: Migration failed: aduser1 (aduser1: user not found)
...
WARNING: Migration failed: user4 (user4: user not found)

Can you check that these users can be resolved using an "id" command?

$ id aduser1

I just ran a ipa-winsync-migrate on my setup, and it migrated the users, so I don't think this is a general issue, rather a misconfiguration.

Users which cannot be resolved (and therefore replaced by their identities on the AD side) are not removed, this is as designed.

2. The actual migration blows up at some point, because username in AD contains invalid characters:

ipa.ipaserver.install.ipa_winsync_migrate.WinsyncMigrate: DEBUG:   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_winsync_migrate.py", line 348, in run
    self.migrate_role_memberships(entry)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_winsync_migrate.py", line 282, in migrate_role_memberships
    object_container_dn=DN(api.env.container_rolegroup, api.env.basedn),
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_winsync_migrate.py", line 258, in migrate_memberships
    create_winsync_group(obj)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_winsync_migrate.py", line 232, in create_winsync_group
    api.Command['group_add'](name, external=True)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 441, in __call__
    self.validate(**params)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 721, in validate
    param.validate(value, self.env.context, supplied=param.name in kw)
  File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 837, in validate
    self._validate_scalar(value)
  File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 856, in _validate_scalar
    rule=rule,

ipa.ipaserver.install.ipa_winsync_migrate.WinsyncMigrate: DEBUG: The ipa-migrate-winsync command failed, exception: ValidationError: invalid 'group_name': may only include letters, numbers, _, -, . and $
ipa.ipaserver.install.ipa_winsync_migrate.WinsyncMigrate: ERROR: invalid 'group_name': may only include letters, numbers, _, -, . and $
Comment 15 Sudhir Menon 2015-09-22 18:16:46 UTC 
[root@ipa01 ~]# id aduser1
id: aduser1: no such user
Comment 16 Tomas Babej 2015-09-23 06:35:23 UTC 
This is I suspected - the migration did not happen since the users could not be resolved. I suspect problem in your trust setup.

The second issue is a real problem, can you file a separate BZ for that?
Comment 17 Tomas Babej 2015-09-23 06:35:41 UTC 
This is I suspected - the migration did not happen since the users could not be resolved. I suspect problem in your trust setup.

The second issue is a real problem, can you file a separate BZ for that?
Comment 18 Martin Kosek 2015-09-23 11:07:35 UTC 
I would suggest filing a Trac ticket fixing the legitimate bug and linking it to this Bugzilla. Given that user is likely to hit the issue, it would be nice fixing in right in the RHEL-7.2.
Comment 20 Tomas Babej 2015-09-23 11:48:31 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5319
Comment 22 Sudhir Menon 2015-09-23 13:33:28 UTC 
Created attachment 1076239 [details]
Console Output
Comment 23 Jan Cholasta 2015-09-23 15:08:35 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a758f16abe608569e3797b048676c3eb245d784a
https://fedorahosted.org/freeipa/changeset/75cba4e8bfe0479078ba112d99628ed517e010a2
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/aac5f9377502234cf35fa9bc21c6f322a2100d65
https://fedorahosted.org/freeipa/changeset/d639e932e248866e7a5993f899f025778860bc95
Comment 26 Sudhir Menon 2015-09-24 06:50:06 UTC 
Verified on RHEL7.1 and Windows 2012 R2.

ipa-server-trust-ad-4.2.0-12.el7.x86_64
ipa-server-4.2.0-12.el7.x86_64
ipa-server-dns-4.2.0-12.el7.x86_64
sssd-1.13.0-35.el7.x86_64

Obseravtions.

1. Winsync Migration is successful without any trace messages.
2. Users have the same UID and GID
3. Group memberships are preserved 
4. SELinux user mappings are preserved 
5. HBAC rules for the user are preserved 
6. Migrated users are overrided to "Default Trust View"
7. Post Winsync Migration users are removed from UI.

Attaching the console logs for reference.
Comment 27 Sudhir Menon 2015-09-24 06:51:17 UTC 
Created attachment 1076365 [details]
Console Logs
Comment 29 errata-xmlrpc 2015-11-19 12:02:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html