RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1204205 - [RFE] ID Views: Automated migration tool from Winsync to Trusts
Summary: [RFE] ID Views: Automated migration tool from Winsync to Trusts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On:
Blocks: 1181710
TreeView+ depends on / blocked
 
Reported: 2015-03-20 15:25 UTC by Martin Kosek
Modified: 2015-11-19 12:02 UTC (History)
6 users (show)

Fixed In Version: ipa-4.2.0-12.el7
Doc Type: Release Note
Doc Text:
Automated migration from WinSync to trusts now supported The new "ipa-winsync-migrate" utility enables seamless migration from synchronization-based integration using WinSync to integration based on Active Directory (AD) trust. The utility automatically migrates all users synchronized using WinSync from a specified AD forest. Previously, migration from synchronization to trust could only be performed manually using ID views. For more information about "ipa-winsync-migrate", see the ipa-winsync-migrate(1) man page.
Clone Of:
: 1246518 (view as bug list)
Environment:
Last Closed: 2015-11-19 12:02:13 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Logs displayed on console when ipa-winsync-migrate is run. (17.08 KB, text/plain)
2015-09-22 15:13 UTC, Sudhir Menon 		no flags Details
httpd error logs (18.25 KB, text/plain)
2015-09-22 15:14 UTC, Sudhir Menon 		no flags Details
dirsrv logs (19.94 KB, text/plain)
2015-09-22 15:15 UTC, Sudhir Menon 		no flags Details
Screenshot UI displaying users left post winsync migrate (97.37 KB, image/png)
2015-09-22 15:17 UTC, Sudhir Menon 		no flags Details
Console Output (10.63 KB, text/plain)
2015-09-23 13:33 UTC, Sudhir Menon 		no flags Details
Console Logs (50.82 KB, text/plain)
2015-09-24 06:51 UTC, Sudhir Menon 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2362 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2015-11-19 10:40:46 UTC

Description Martin Kosek 2015-03-20 15:25:51 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4524

One of the major use cases for ID Views is migration from sync solution (winsync based), where users get UIDs and GIDs assigned by FreeIPA - see #3318.

In the migration procedure, admin needs to create a ''idoverride'' for each such group and user in the default view, and then delete the original synced user/group entry.

There should be a command or a a separate tool to convert the synced users to idoverride objects in the default view.
Comment 1 Tomas Babej 2015-07-02 11:25:41 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/0cb87fc31ae5babb9331ed81d8d743bcc5bb1c92
https://fedorahosted.org/freeipa/changeset/4c6ff801405de9bcc9175e1687a91ff55143d9b3
https://fedorahosted.org/freeipa/changeset/2104e07fa82dc599fe81cea822dfa8b060cc91cc
https://fedorahosted.org/freeipa/changeset/e7d7f01d5ffbb8d3c5d5e882ca19b7b9fe96aa7c
https://fedorahosted.org/freeipa/changeset/cf61e2ad94f0e2f822f203291e5adc5882f55e77
https://fedorahosted.org/freeipa/changeset/69c6a332168be5c98a3edd18d88bac3750081bb0
https://fedorahosted.org/freeipa/changeset/e6a2a67d7a3144bd012a726fc244bbc0f201cfe9
https://fedorahosted.org/freeipa/changeset/0e11a87090f46695024a67eed58dbb5aaa7be9a3
https://fedorahosted.org/freeipa/changeset/bff7a748d622a174a6023b32b5b13ed8b53975dc
https://fedorahosted.org/freeipa/changeset/d584eb700111bb57f6d10018f4b56d6f10a96d21
https://fedorahosted.org/freeipa/changeset/7017d9e8a64d7974cbe61c82885256a75a9c2cd7
https://fedorahosted.org/freeipa/changeset/e9a3b997176814f890ad90c69a6c14966a24d43f
https://fedorahosted.org/freeipa/changeset/19d62e9aa4315c8afed687412f4737794d39cec0
https://fedorahosted.org/freeipa/changeset/f8d1458fdaedeefac77045d043a0dd5cb9331163
https://fedorahosted.org/freeipa/changeset/646253044028b86291430680981a40bef2bff1e6
https://fedorahosted.org/freeipa/changeset/199358112eb1fe2da61de42c207396646067cb87
https://fedorahosted.org/freeipa/changeset/e5fe79a0f427c117a6ecd8f7870cb43eb5be0c84
https://fedorahosted.org/freeipa/changeset/8d30feb5391026a42a2f8da5df8d539311963b86
Comment 9 Sudhir Menon 2015-09-22 15:13:02 UTC 
Created attachment 1075880 [details]
Logs displayed on console when ipa-winsync-migrate is run.
Comment 10 Sudhir Menon 2015-09-22 15:14:40 UTC 
Created attachment 1075881 [details]
httpd error logs
Comment 11 Sudhir Menon 2015-09-22 15:15:40 UTC 
Created attachment 1075882 [details]
dirsrv logs
Comment 12 Sudhir Menon 2015-09-22 15:17:35 UTC 
Created attachment 1075883 [details]
Screenshot UI displaying users left post winsync migrate
Comment 13 Sudhir Menon 2015-09-22 15:20:29 UTC 
Tomas,

1. ID overrides have not been created

[root@ipa01 ~]# ipa idoverrideuser-find "Default Trust View"
---------------------------
0 User ID overrides matched
---------------------------
----------------------------
Number of entries returned 0
----------------------------

2. Attached all the logs for your reference.
Comment 14 Tomas Babej 2015-09-22 15:25:09 UTC 
Thanks, from the logs I can see there are several issues going on:

1. Several users have not been able to be resolved, that's why they have not been migrated:

WARNING: Migration failed: aduser1 (aduser1: user not found)
...
WARNING: Migration failed: user4 (user4: user not found)

Can you check that these users can be resolved using an "id" command?

$ id aduser1

I just ran a ipa-winsync-migrate on my setup, and it migrated the users, so I don't think this is a general issue, rather a misconfiguration.

Users which cannot be resolved (and therefore replaced by their identities on the AD side) are not removed, this is as designed.

2. The actual migration blows up at some point, because username in AD contains invalid characters:

ipa.ipaserver.install.ipa_winsync_migrate.WinsyncMigrate: DEBUG:   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_winsync_migrate.py", line 348, in run
    self.migrate_role_memberships(entry)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_winsync_migrate.py", line 282, in migrate_role_memberships
    object_container_dn=DN(api.env.container_rolegroup, api.env.basedn),
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_winsync_migrate.py", line 258, in migrate_memberships
    create_winsync_group(obj)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_winsync_migrate.py", line 232, in create_winsync_group
    api.Command['group_add'](name, external=True)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 441, in __call__
    self.validate(**params)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 721, in validate
    param.validate(value, self.env.context, supplied=param.name in kw)
  File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 837, in validate
    self._validate_scalar(value)
  File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 856, in _validate_scalar
    rule=rule,

ipa.ipaserver.install.ipa_winsync_migrate.WinsyncMigrate: DEBUG: The ipa-migrate-winsync command failed, exception: ValidationError: invalid 'group_name': may only include letters, numbers, _, -, . and $
ipa.ipaserver.install.ipa_winsync_migrate.WinsyncMigrate: ERROR: invalid 'group_name': may only include letters, numbers, _, -, . and $
Comment 15 Sudhir Menon 2015-09-22 18:16:46 UTC 
[root@ipa01 ~]# id aduser1
id: aduser1: no such user
Comment 16 Tomas Babej 2015-09-23 06:35:23 UTC 
This is I suspected - the migration did not happen since the users could not be resolved. I suspect problem in your trust setup.

The second issue is a real problem, can you file a separate BZ for that?
Comment 17 Tomas Babej 2015-09-23 06:35:41 UTC 
This is I suspected - the migration did not happen since the users could not be resolved. I suspect problem in your trust setup.

The second issue is a real problem, can you file a separate BZ for that?
Comment 18 Martin Kosek 2015-09-23 11:07:35 UTC 
I would suggest filing a Trac ticket fixing the legitimate bug and linking it to this Bugzilla. Given that user is likely to hit the issue, it would be nice fixing in right in the RHEL-7.2.
Comment 20 Tomas Babej 2015-09-23 11:48:31 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5319
Comment 22 Sudhir Menon 2015-09-23 13:33:28 UTC 
Created attachment 1076239 [details]
Console Output
Comment 23 Jan Cholasta 2015-09-23 15:08:35 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a758f16abe608569e3797b048676c3eb245d784a
https://fedorahosted.org/freeipa/changeset/75cba4e8bfe0479078ba112d99628ed517e010a2
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/aac5f9377502234cf35fa9bc21c6f322a2100d65
https://fedorahosted.org/freeipa/changeset/d639e932e248866e7a5993f899f025778860bc95
Comment 26 Sudhir Menon 2015-09-24 06:50:06 UTC 
Verified on RHEL7.1 and Windows 2012 R2.

ipa-server-trust-ad-4.2.0-12.el7.x86_64
ipa-server-4.2.0-12.el7.x86_64
ipa-server-dns-4.2.0-12.el7.x86_64
sssd-1.13.0-35.el7.x86_64

Obseravtions.

1. Winsync Migration is successful without any trace messages.
2. Users have the same UID and GID
3. Group memberships are preserved 
4. SELinux user mappings are preserved 
5. HBAC rules for the user are preserved 
6. Migrated users are overrided to "Default Trust View"
7. Post Winsync Migration users are removed from UI.

Attaching the console logs for reference.
Comment 27 Sudhir Menon 2015-09-24 06:51:17 UTC 
Created attachment 1076365 [details]
Console Logs
Comment 29 errata-xmlrpc 2015-11-19 12:02:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html
Note You need to log in before you can comment on or make changes to this bug.