Bug 1181093

Summary: PassSync does not sync passwords due to missing ACIs
Product: Red Hat Enterprise Linux 7 Reporter: Steeve Goveas <sgoveas>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: mkosek, rcritten, sgoveas
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.1.0-16.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:19:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Directory Server access logs none

Description Steeve Goveas 2015-01-12 11:15:43 UTC 
Description of problem:
Password of AD user is not syncing to IPA

Version-Release number of selected component (if applicable):
[root@sideswipe ~]# rpm -q ipa-server 389-ds-base
ipa-server-4.1.0-13.el7.x86_64
389-ds-base-1.3.3.1-11.el7.x86_64


How reproducible:


Steps to Reproduce:
1. Install IPA
2. Create winsync agreement
3. Add new user on AD and set password
4. Reset password of existing user
5. Passwords in above cases should sync on IPA server

Actual results:
[root@sideswipe ~]# hostname
sideswipe.ipasync.test

[root@sideswipe ~]# ipa user-show aduser1
  User login: aduser1
  First name: ads
  Last name: user
  Home directory: /home/aduser1
  Login shell: /bin/sh
  Email address: aduser1
  UID: 184400014
  GID: 184400014
  Telephone Number: 66778839
  Account disabled: False
  Password: False
  Kerberos keys available: False

Logs on resetting password on AD

01/12/15 16:38:50: Received passhook event.  Attempting sync
01/12/15 16:38:50: 1 new entries loaded from data file
01/12/15 16:38:50: Cleared contents of data file
01/12/15 16:38:50: Password list has 2 entries
01/12/15 16:38:51: Attempting to sync password for frank
01/12/15 16:38:51: Searching for (ntuserdomainid=frank)
01/12/15 16:38:51: There are no entries that match: frank
01/12/15 16:38:51: Deferring password change for frank
01/12/15 16:38:51: Attempting to sync password for aduser1
01/12/15 16:38:51: Searching for (ntuserdomainid=aduser1)
01/12/15 16:38:51: There are no entries that match: aduser1
01/12/15 16:38:51: Deferring password change for aduser1
01/12/15 16:38:51: Backing off for 2000ms
01/12/15 16:38:53: Backoff time expired.  Attempting sync
01/12/15 16:38:53: Password list has 2 entries
01/12/15 16:38:53: Attempting to sync password for frank
01/12/15 16:38:53: Searching for (ntuserdomainid=frank)
01/12/15 16:38:53: There are no entries that match: frank
01/12/15 16:38:53: Deferring password change for frank
01/12/15 16:38:53: Attempting to sync password for aduser1
01/12/15 16:38:53: Searching for (ntuserdomainid=aduser1)
01/12/15 16:38:53: There are no entries that match: aduser1
01/12/15 16:38:53: Deferring password change for aduser1
01/12/15 16:38:53: Backing off for 4000ms
01/12/15 16:38:57: Backoff time expired.  Attempting sync
01/12/15 16:38:57: Password list has 2 entries
01/12/15 16:38:57: Attempting to sync password for frank
01/12/15 16:38:57: Searching for (ntuserdomainid=frank)
01/12/15 16:38:57: There are no entries that match: frank
01/12/15 16:38:57: Deferring password change for frank
01/12/15 16:38:57: Attempting to sync password for aduser1
01/12/15 16:38:57: Searching for (ntuserdomainid=aduser1)
01/12/15 16:38:57: There are no entries that match: aduser1
01/12/15 16:38:57: Deferring password change for aduser1
01/12/15 16:38:57: Backing off for 8000ms


Expected results:
Passwords must sync on IPA server

Additional info:
Comment 3 Martin Kosek 2015-01-13 13:16:55 UTC 
It is probably related to the PermissionV2 feature which did ACI changes. Can you please provide Directory Server access log? It should contain the query that PassSync used to query the users.
Comment 4 Martin Kosek 2015-01-13 13:17:11 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4837
Comment 5 Steeve Goveas 2015-01-13 13:35:36 UTC 
Created attachment 979622 [details]
Directory Server access logs

Attaching directory server access logs.
Comment 6 Martin Kosek 2015-01-14 08:17:57 UTC 
Thanks. This is indeed a regression, we are working on a fix.
Comment 8 Martin Kosek 2015-01-19 15:52:37 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6652c4eb2ebece71b6d60001246bd0fee5909099
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/282d1ec2f9346c4a38b9867cff2ecf9151c0a794
Comment 10 Steeve Goveas 2015-01-23 14:01:41 UTC 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_winsync_0005: Create user (alphanumeric) in AD and verify it is synced to IPA
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Generate ldif file to add user aduser1 :: actually running 'ADuser_ldif aduser1 ads aduser1 Secret123 512 add'
:: [   PASS   ] :: Generate ldif file to add user aduser1 (Expected 0, got 0)
:: [  BEGIN   ] :: Adding new user in AD aduser1 :: actually running 'ldapmodify -ZZ -h squab.adrelm.com -D "CN=Administrator,CN=Users,DC=adrelm,DC=com" -w Secret123 -f ADuser.ldif'
adding new entry "CN=aduser1 ads,CN=Users,DC=adrelm,DC=com"

:: [   PASS   ] :: Adding new user in AD aduser1 (Expected 0, got 0)
:: [  BEGIN   ] :: Sleeping for sync interval :: actually running 'sleep 30'

MARK-LWD-LOOP -- 2015-01-23 02:12:26 --
:: [   PASS   ] :: Sleeping for sync interval (Expected 0, got 0)
:: [  BEGIN   ] :: aduser1 is synced to IPA :: actually running 'ipa user-show aduser1 > /tmp/tmp.P5FGR7MRdA/tmpout.ipa_winsync_0005.out 2>&1'
:: [   PASS   ] :: aduser1 is synced to IPA (Expected 0, got 0)
  User login: aduser1
  First name: aduser1
  Last name: ads
  Home directory: /home/aduser1
  Login shell: /bin/sh
  UID: 948200006
  GID: 948200006
  Account disabled: False
  Password: True
  Kerberos keys available: True
:: [   PASS   ] :: File '/tmp/tmp.P5FGR7MRdA/tmpout.ipa_winsync_0005.out' should contain 'Account disabled: False' 
:: [  BEGIN   ] :: Sleeping more in case password has not synced :: actually running 'sleep 60'
:: [   PASS   ] :: Sleeping more in case password has not synced (Expected 0, got 0)
:: [  BEGIN   ] :: aduser1 is synced to IPA :: actually running 'ipa user-show aduser1 > /tmp/tmp.P5FGR7MRdA/tmpout.ipa_winsync_0005.out 2>&1'
:: [   PASS   ] :: aduser1 is synced to IPA (Expected 0, got 0)
  User login: aduser1
  First name: aduser1
  Last name: ads
  Home directory: /home/aduser1
  Login shell: /bin/sh
  UID: 948200006
  GID: 948200006
  Account disabled: False
  Password: True
  Kerberos keys available: True
:: [   PASS   ] :: File '/tmp/tmp.P5FGR7MRdA/tmpout.ipa_winsync_0005.out' should contain 'Account disabled: False' 
:: [   PASS   ] :: File '/tmp/tmp.P5FGR7MRdA/tmpout.ipa_winsync_0005.out' should contain 'Password: True' 
'26872341-a5b8-4d0c-9cc3-935685e779c7'
ipa-winsync-0005-Create-user-alphanumeric-in-AD-and-verify-it-is-synced-to-IPA result: PASS

Verified in
ipa-server-4.1.0-16.el7.x86_64
Comment 12 errata-xmlrpc 2015-03-05 10:19:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html