Bug 1118060
Summary: | winsync plugin modify is broken | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Noriko Hosoi <nhosoi> | ||||
Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> | ||||
Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 7.0 | CC: | nhosoi, nkinder, rmeggins, vashirov | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | 389-ds-base-1.3.3.1-1.el7 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-03-05 09:36:17 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Noriko Hosoi
2014-07-09 22:51:35 UTC
Verification steps: 0. Enable WinSync + Posix WinSync Plugin (see http://directory.fedoraproject.org/docs/389ds/design/winsync-posix.html, https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/posix-sync.html) 1. Modify uidNumber, gidNumber, and homeDirectory on one side and check the values are correctly updated on the other side. Adding another test case: 2. Enabling/Disabling an account on DS and check it on AD that status is synchronized. And vice versa. $ rpm -qa | grep 389 389-ds-base-debuginfo-1.3.3.1-11.el7.x86_64 389-ds-base-libs-1.3.3.1-11.el7.x86_64 389-ds-base-1.3.3.1-11.el7.x86_64 [0] WinSync and Posix WinSync plugin are configured. Add test posix user: $ ldapmodify -D "cn=Directory Manager" -w Secret123 -H ldap://localhost:1189 -a << EOF dn: uid=posixusr0,ou=dswinsync,dc=example,dc=com objectClass: inetorgperson objectClass: inetuser objectclass: ntUser objectClass: posixAccount uid: posixusr0 givenName: posixusr0 uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/posixusr0 sn: posixusr0 cn: posixusr0 ntUserCreateNewAccount: true ntUserDomainId: posixusr0 ntUserDeleteAccount: true userPassword: Secret123 EOF adding new entry "uid=posixusr0,ou=dswinsync,dc=example,dc=com" It synced to AD: $ ldapsearch -o ldif-wrap=no -LLL -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com -b dc=adrelm,dc=com cn=posixusr0 dn: CN=posixusr0,OU=adsync,DC=adrelm,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: posixusr0 sn: posixusr0 givenName: posixusr0 distinguishedName: CN=posixusr0,OU=adsync,DC=adrelm,DC=com instanceType: 4 whenCreated: 20150118020447.0Z whenChanged: 20150118020447.0Z uSNCreated: 28818 uSNChanged: 28823 name: posixusr0 objectGUID:: PiFyvSq7rk2nWxFbxCLx1w== userAccountControl: 544 badPwdCount: 1 codePage: 0 countryCode: 0 badPasswordTime: 130660202871250000 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130660202871562500 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAiiwF82aDDckPUPdEYQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: posixusr0 sAMAccountType: 805306368 userPrincipalName: posixusr0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=adrelm,DC=com dSCorePropagationData: 16010101000000.0Z uidNumber: 1000 gidNumber: 1000 unixHomeDirectory: /home/posixusr0 [1.1] Modify uidNumber, gidNumber, and homeDirectory on DS: $ ldapmodify -D "cn=Directory Manager" -w Secret123 -H ldap://localhost:1189 -a << EOF dn: uid=posixusr0,ou=dswinsync,dc=example,dc=com changetype: modify replace: gidNumber gidNumber: 31337 - replace: homeDirectory homeDirectory: /toor - replace: uidNumber uidNumber: 777 - EOF modifying entry "uid=posixusr0,ou=dswinsync,dc=example,dc=com" Changes were successfully synced to AD: $ ldapsearch -o ldif-wrap=no -LLL -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com -b dc=adrelm,dc=com cn=posixusr0 uidNumber gidNumber unixHomeDirectory dn: CN=posixusr0,OU=adsync,DC=adrelm,DC=com uidNumber: 777 gidNumber: 31337 unixHomeDirectory: /toor [1.2] Modify uidNumber, gidNumber, and unixHomeDirectory on AD: ldapmodify -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com << EOF dn: CN=posixusr0,OU=adsync,DC=adrelm,DC=com changetype: modify replace: gidNumber gidNumber: 2000 - replace: unixHomeDirectory unixHomeDirectory: /home/posixusr0 - replace: uidNumber uidNumber: 2000 - EOF modifying entry "CN=posixusr0,OU=adsync,DC=adrelm,DC=com" Changes were successfully synced to DS: $ ldapsearch -o ldif-wrap=no -LLL -D "cn=Directory Manager" -w Secret123 -H ldap://localhost:1189 -b dc=example,dc=com cn=posixusr0 uidNumber gidNumber homeDirectory dn: uid=posixusr0,ou=dswinsync,dc=example,dc=com uidNumber: 2000 gidNumber: 2000 homeDirectory: /home/posixusr0 [2.1] Disable account on DS: $ sudo ns-inactivate.pl -Z M1 -D "cn=Directory Manager" -w Secret123 -I uid=posixusr0,ou=dswinsync,dc=example,dc=com ldap_add: Already exists (68) ldap_add: Already exists (68) ldap_add: Already exists (68) ldap_add: Already exists (68) ldap_add: Already exists (68) uid=posixusr0,ou=dswinsync,dc=example,dc=com inactivated. On AD it becomes disabled: $ ldapsearch -o ldif-wrap=no -LLL -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com -b dc=adrelm,dc=com cn=posixusr0 userAccountControl dn: CN=posixusr0,OU=adsync,DC=adrelm,DC=com userAccountControl: 514 Enable account on DS: $ sudo ns-activate.pl -Z M1 -D "cn=Directory Manager" -w Secret123 -I uid=posixusr0,ou=dswinsync,dc=example,dc=com uid=posixusr0,ou=dswinsync,dc=example,dc=com activated. On AD it's still disabled: $ ldapsearch -o ldif-wrap=no -LLL -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com -b dc=adrelm,dc=com cn=posixusr0 userAccountControl dn: CN=posixusr0,OU=adsync,DC=adrelm,DC=com userAccountControl: 514 And after sync, on DS: $ sudo ns-accountstatus.pl -Z M1 -D "cn=Directory Manager" -w Secret123 -I uid=posixusr1,ou=dswinsync,dc=example,dc=com uid=posixusr1,ou=dswinsync,dc=example,dc=com inactivated (probably directly). In other words, if account was inactivated on DS, it cannot be reactivated again from DS. [2.2] Disable account on AD: Before change: $ sudo ns-accountstatus.pl -Z M1 -D "cn=Directory Manager" -w Secret123 -I uid=posixusr0,ou=dswinsync,dc=example,dc=com uid=posixusr0,ou=dswinsync,dc=example,dc=com activated. Disable account on AD: $ ldapmodify -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com << EOF dn: CN=posixusr0,OU=adsync,DC=adrelm,DC=com changetype: modify replace: userAccountControl userAccountControl: 514 EOF modifying entry "CN=posixusr0,OU=adsync,DC=adrelm,DC=com" After sync, on DS: $ sudo ns-accountstatus.pl -Z M1 -D "cn=Directory Manager" -w Secret123 -I uid=posixusr0,ou=dswinsync,dc=example,dc=com uid=posixusr0,ou=dswinsync,dc=example,dc=com inactivated (probably directly). Enable account on AD: $ ldapmodify -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com << EOF dn: CN=posixusr0,OU=adsync,DC=adrelm,DC=com changetype: modify replace: userAccountControl userAccountControl: 512 EOF After sync, on DS: $ sudo ns-accountstatus.pl -Z M1 -D "cn=Directory Manager" -w Secret123 -I uid=posixusr0,ou=dswinsync,dc=example,dc=com uid=posixusr0,ou=dswinsync,dc=example,dc=com activated. Created attachment 981049 [details]
errors log
This an error log for test case 2.1
Hi Noriko, should I open another bug for test case 2.1 and mark this as verified? Thank you, Viktor, for testing the case 2.1! Actually, we brought it up since it was reported by IPA... Please see this bug. https://bugzilla.redhat.com/show_bug.cgi?id=1182477 [Bug 1182477] User enable/disable does not sync with ipawinsyncacctdisable set to both We have a fix that was verified by Martin this weekend. Ticket #47989 - Windows Sync accidentally cleared raw_entry But we have to decide how it's included in 7.1 (or zero day or ...) We are going to discuss on the issue in this weekly mtg today. I'll update you with the result. In the mean time, you could separate the case 2.1 from this bug and use bz 1182477 for the issue. Thanks a lot! --noriko $ rpm -qa | grep 389 389-ds-base-1.3.3.1-12.el7.x86_64 389-ds-base-libs-1.3.3.1-12.el7.x86_64 389-ds-base-debuginfo-1.3.3.1-12.el7.x86_64 [2.1] Disable account on DS: $ sudo ns-inactivate.pl -Z M1 -D "cn=Directory Manager" -w Secret123 -I uid=posixusr0,ou=dswinsync,dc=example,dc=com ldap_add: Already exists (68) ldap_add: Already exists (68) ldap_add: Already exists (68) ldap_add: Already exists (68) ldap_add: Already exists (68) uid=posixusr0,ou=dswinsync,dc=example,dc=com inactivated. On AD it becomes disabled, password not required (546): $ ldapsearch -o ldif-wrap=no -LLL -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com -b dc=adrelm,dc=com cn=posixusr0 userAccountControl dn: CN=posixusr0,OU=adsync,DC=adrelm,DC=com userAccountControl: 546 Enable account on DS: $ sudo ns-activate.pl -Z M1 -D "cn=Directory Manager" -w Secret123 -I uid=posixusr0,ou=dswinsync,dc=example,dc=com uid=posixusr0,ou=dswinsync,dc=example,dc=com activated. Account enabled, password not required (544): $ ldapsearch -o ldif-wrap=no -LLL -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com -b dc=adrelm,dc=com cn=posixusr0 userAccountControl dn: CN=posixusr0,OU=adsync,DC=adrelm,DC=com userAccountControl: 544 I tried another test case. [2.3] Disable account on AD, enable it on DS: Disable account on AD: $ ldapmodify -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -H ldap://win2k8.adrelm.com << EOF dn: CN=posixusr0,OU=adsync,DC=adrelm,DC=com changetype: modify replace: userAccountControl userAccountControl: 514 EOF modifying entry "CN=posixusr0,OU=adsync,DC=adrelm,DC=com" Enable account on DS: $ sudo ns-activate.pl -Z M1 -D "cn=Directory Manager" -w Secret123 -I uid=posixusr0,ou=dswinsync,dc=example,dc=com uid=posixusr0,ou=dswinsync,dc=example,dc=com inactivated (probably directly). ns-activate.pl fails to activate account, because it has nsAccountLock but not nsRoleDN. Looks like there is an issue with ns-activate.pl/ns-inactivate.pl/ns-accountstatus.pl, because if I remove nsAccountLock manually, account will become activated. I mark this bug as VERIFIED and I'll open another for the issue with ns-activate.pl/ns-inactivate.pl/ns-accountstatus.pl. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html |