Janez Molicnik via FreeIPA-users wrote: > Hi! > > While doing a yearly disaster recovery I encountered a strange issue, of the > 749 users in production environment 748 got successfully imported, but one > user is missing. > > "kinit missing.username" just warns that the user was not found in Kerberos > database while getting initial credentials. > "ipa user-find missing.username" says 0 users matched and WebUI shows there > are just 748 users and doesn't see the missing one. It is also not present in > "Stage users" or "Preserved users". > > What logs can I check to troubleshoot this issue? There is nothing special > about this user as far I can see. Password will expire next year, he is a > member of admin group, but other admins got imported without issues. > > The issue could also be connected to my next question: for security reasons > we have disabled the system admin user (the FreeIPA build in account, the > only member of "trust admins" group) - can this action interfere with full > backup restore? > > I did one restore like that and the admin and the missing user could not get > the kerberos tickets - now I have enabled the admin user back again and made > a full backup and then restored it - and admin account started to work (can > log in), but then the issue with missing user arose. I am testing with a > VirtualBox and I reverted the failed restore, so the missing user issue is > not directly connected to the disabled admin. But it could be connected to > admin user not being in the admin group? I suppose the admin user should be a > member of admin group when doing restore? We probably also removed it from > this group when disabling it - can anybody confirm, that the admin user is > part of the admin group in default install?
I'd suggest pulling the backup apart (its a tarball) and looking directly in the LDIF. If the entry isn't there then that's why it wasn't restored. That or if the entry is there but not restored we'd need to pull in the 389 team to figure out what is going on. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
