Bug 1044137

Summary: [RFE] posix winsync should support ADD user/group entries from DS to AD
Product: Red Hat Enterprise Linux 7 Reporter: Nathan Kinder <nkinder>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: jwooten, nhosoi, vashirov
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.3.1-1.el7 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 09:29:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nathan Kinder 2013-12-17 21:16:26 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/428

User/group entries added to DS do not have their posix attributes synced to AD.  This is due to a limitation in the winsync v1 api.  The v2 and later api support a pre add callback for DS to AD entries.
Comment 3 Noriko Hosoi 2014-10-28 20:43:26 UTC 
Docs:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/posix-sync.html
http://www.port389.org/docs/389ds/design/winsync-posix.html
http://www.port389.org/docs/389ds/design/posix-winsync-sid-enhancements.html

Please test these attribute paris:
    "unixHomeDirectory", "homeDirectory"
    "loginShell", "loginShell"
    "uidNumber", "uidNumber"
    "gidNumber", "gidNumber"
    "gecos", "gecos"
Comment 4 Viktor Ashirov 2015-01-19 17:13:34 UTC 
$ rpm -qa | grep 389
389-ds-base-debuginfo-1.3.3.1-11.el7.x86_64
389-ds-base-libs-1.3.3.1-11.el7.x86_64
389-ds-base-1.3.3.1-11.el7.x86_64

[1] Add user to DS with POSIX attributes:
$ ldapmodify -D "cn=Directory Manager" -w Secret123  -H ldap://localhost:1189 -a << EOF
dn: uid=ds_posixusr,ou=People,dc=example,dc=com
objectClass: inetorgperson
objectClass: inetuser
objectclass: ntUser
objectClass: posixAccount
uid: ds_posixusr
givenName: ds_posixusr
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/ds_posixusr
gecos: ds_posixusr
loginShell: /bin/bash
sn: ds_posixusr
cn: ds_posixusr
ntUserCreateNewAccount: true
ntUserDomainId: ds_posixusr
ntUserDeleteAccount: true
userPassword: Secret123
EOF
adding new entry "uid=ds_posixusr,ou=People,dc=example,dc=com"

[2] Add user to AD with POSIX attributes:
$ ldapadd -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123  -H ldaps://win2k8.adrelm.com:636  << EOF
dn: CN=ad_posixusr,ou=adsync,dc=adrelm,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: posixAccount
uidNumber: 2000
gidNumber: 2000
cn: ad_posixusr
sn: ad_posixusr
uid: ad_posixusr
givenName: ad_posixusr
distinguishedName: CN=ad_posixusr,ou=adsync,dc=adrelm,dc=com
displayName: ad_posixusr
unixHomeDirectory: /home/ad_posixusr
loginShell: /bin/bash
gecos: ad_posixusr
sAMAccountName: ad_posixusr
userPrincipalName: ad_posixusr@dc=adrelm,dc=com
userAccountControl: 512
unicodePwd::IgBTAGUAYwByAGUAdAAxADIAMwA0ACIA
EOF
adding new entry "CN=ad_posixusr,ou=adsync,dc=adrelm,dc=com"

[3] Wait for sync

[4] Search for POSIX attributes of AD user synced to DS:
$ ldapsearch -o ldif-wrap=no -LLL -D "cn=Directory Manager" -w Secret123 -H ldap://localhost:1189 -b dc=example,dc=com uid=ad_posixusr uidNumber gidNumber unixHomeDirectory homeDirectory loginShell gecos
dn: uid=ad_posixusr,ou=People,dc=example,dc=com
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/ad_posixusr
loginShell: /bin/bash
gecos: ad_posixusr

[5] Search for POSIX attributes of DS user synced to AD:
$ ldapsearch -o ldif-wrap=no -LLL -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123  -H ldap://win2k8.adrelm.com -b dc=adrelm,dc=com cn=ds_posixusr uidNumber gidNumber unixHomeDirectory homeDirectory loginShell gecos
dn: CN=ds_posixusr,OU=adsync,DC=adrelm,DC=com
uidNumber: 1000
gidNumber: 1000
gecos: ds_posixusr
unixHomeDirectory: /home/ds_posixusr
loginShell: /bin/bash


Marking as VERIFIED
Comment 6 errata-xmlrpc 2015-03-05 09:29:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html