On 7/14/21 11:27 AM, Rob Crittenden wrote:
Jim Kilborn via FreeIPA-users wrote:
We have migrated our AD users to a new domain (ie example.com -> examplenew.com)
and I now need to change our IPA AD sync replication to use the new
domain. I can remove the old replication agreement and create the new
one, but my question is what happens to the users accounts. The AD
usernames didnt change during the migration, but the SID will be
different due to it being a new account in a new domain. Will IPA just
associated that username with the one already in IPA, or will it try
to create another account with a different UID/GID in ipa?
I'm honestly not sure what will happen. I suspect it will associate the
user with the existing on in IPA, but otherwise not change anything.

So it won't see the new SID, for example.

But I really don't know. This is not something that we on the IPA team
tested at all.

cc'ing a 389 developer to see what they think.

From a replication perspective, if the data source changed in such a fashion, then a reinit would be required with the new agreement.  Replication would not detect a "difference" in an entry, it only replicates changes from the replication changelog. So if you did not reinit then I suspect replication would not even work, or if it did, you would be in an inconsistent state.

HTH,

Mark


rob

--
Directory Server Development Team
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to