Resolving errors and conflicts

In some cases, you might encounter errors () that must be resolved before a pending import user or group can be migrated into Active Directory. For example, pending import groups cannot be imported if the group profile has any of the following problems:

  • The group’s GID is negative.
  • There is another UNIX group with the same GID already defined in the zone.
  • There is a UNIX group with the same group name already defined in the zone.
  • The matching Active Directory candidate already has a UNIX profile in the zone.

Similarly, pending import users cannot be imported if the user profile has any of the following problems:

  • The user’s UID is negative.
  • The user’s primary group GID is negative.
  • There is a UNIX user with the same user name already defined in the zone.

In most cases, you must resolve these issues by modifying the properties for the pending import profile. For example, assume you are importing a passwd file that includes the UNIX user account pierre with the UID 1001, but there is already an UNIX profile in the zone with the UNIX name pierre and UID of 500. After you check the status, the Pending Import list of users will indicate there is an error.

To resolve a conflict like this, you might select the pending import user, right-click, then select Properties to change the UNIX user name from pierre to another name, such as pierre2. You should keep in mind, however, that conflicts like this might require investigation to determine the appropriate course of action. For example, if you are attempting to import the UNIX profile for the user pierre and there’s a conflict, you need to determine whether pierre with the UID of 1001 is the same person as pierre with a UID of 500 and where each UID is applicable. If both profiles are for one person accessing different computers, you might simply need to define a computer-level override on the specific computer where the UID of 1001 is required. If the pending import user actually refers to a different person, you might have to map the profile to a different Active Directory account or move the computer to a different zone.