Miguel Angel Coa M. wrote:
Hi Rob,
CN=LAB is a group entry and inside i've a few members
[.................]
# LAB, Users,
example2.com <
http://example2.com>
dn: CN=LAB,CN=Users,DC=example2,DC=com
objectClass: top
objectClass: group
cn: LAB
description: Usuario de grupo LAB
member: CN=winuser64,CN=Users,DC=example2,DC=com
member: CN=winuserlab2 userlab2,OU=Test,DC=example2,DC=com
member: CN=winuser40 winuser40,OU=Test,DC=example2,DC=com
member: CN=winuserlab1 userlab1,OU=Test,DC=example2,DC=com
distinguishedName: CN=LAB,CN=Users,DC=example2,DC=com
instanceType: 4
whenCreated: 20171023203927.0Z
whenChanged: 20171024203108.0Z
uSNCreated: 49193
uSNChanged: 61493
name: LAB
objectGUID:: gQBcEwVqHU+L3DmmZPVFFw==
objectSid:: AQUAAAAAAAUVAAAAguTkYzspTdFQ0vfEWwQAAA==
sAMAccountName: LAB
sAMAccountType: 268435456
groupType: -2147483640
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example2,DC=com
dSCorePropagationData: 16010101000000.0Z
That's why. winsync syncs against a subtree, not members of a group.
rob
[.................]
Regards.
Saludos.
---
Miguel Coa M.
2017-10-25 17:28 GMT-03:00 Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>>:
Miguel Angel Coa M. via FreeIPA-users wrote:
> Hello Everyone,
> I've setting IPA server connect with AD (Windows Server 2012R2) and work
> fine, but i need change the sub-tree for user sync and this step fail
> (not sync anything) .
> For example, when i sync against the default base is ok
>
> [.................]
> CN=Users,DC=example2,dc=com
> [.................]
>
> [.................]
> nsds7WindowsReplicaSubtree: CN=Users,DC=example2,DC=com
> [.................]
>
>
> But i try change the base and does not sync anything
>
> [.................]
> CN=LAB,CN=Users,DC=example2,dc=com
> [.................]
>
> When the LAB is AD group. ¿is possible sync against AD group?
IIRC winsync looks for entries that match objectclass=ntuser. I CN=LAB
literally a group entry or a subtree?
rob