Bug 1181093
Summary: | PassSync does not sync passwords due to missing ACIs | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Steeve Goveas <sgoveas> | ||||
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 7.1 | CC: | mkosek, rcritten, sgoveas | ||||
Target Milestone: | rc | Keywords: | Regression | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | ipa-4.1.0-16.el7 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-03-05 10:19:21 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Steeve Goveas
2015-01-12 11:15:43 UTC
It is probably related to the PermissionV2 feature which did ACI changes. Can you please provide Directory Server access log? It should contain the query that PassSync used to query the users. Upstream ticket: https://fedorahosted.org/freeipa/ticket/4837 Created attachment 979622 [details]
Directory Server access logs
Attaching directory server access logs.
Thanks. This is indeed a regression, we are working on a fix. Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6652c4eb2ebece71b6d60001246bd0fee5909099 ipa-4-1: https://fedorahosted.org/freeipa/changeset/282d1ec2f9346c4a38b9867cff2ecf9151c0a794 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_winsync_0005: Create user (alphanumeric) in AD and verify it is synced to IPA :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ BEGIN ] :: Generate ldif file to add user aduser1 :: actually running 'ADuser_ldif aduser1 ads aduser1 Secret123 512 add' :: [ PASS ] :: Generate ldif file to add user aduser1 (Expected 0, got 0) :: [ BEGIN ] :: Adding new user in AD aduser1 :: actually running 'ldapmodify -ZZ -h squab.adrelm.com -D "CN=Administrator,CN=Users,DC=adrelm,DC=com" -w Secret123 -f ADuser.ldif' adding new entry "CN=aduser1 ads,CN=Users,DC=adrelm,DC=com" :: [ PASS ] :: Adding new user in AD aduser1 (Expected 0, got 0) :: [ BEGIN ] :: Sleeping for sync interval :: actually running 'sleep 30' MARK-LWD-LOOP -- 2015-01-23 02:12:26 -- :: [ PASS ] :: Sleeping for sync interval (Expected 0, got 0) :: [ BEGIN ] :: aduser1 is synced to IPA :: actually running 'ipa user-show aduser1 > /tmp/tmp.P5FGR7MRdA/tmpout.ipa_winsync_0005.out 2>&1' :: [ PASS ] :: aduser1 is synced to IPA (Expected 0, got 0) User login: aduser1 First name: aduser1 Last name: ads Home directory: /home/aduser1 Login shell: /bin/sh UID: 948200006 GID: 948200006 Account disabled: False Password: True Kerberos keys available: True :: [ PASS ] :: File '/tmp/tmp.P5FGR7MRdA/tmpout.ipa_winsync_0005.out' should contain 'Account disabled: False' :: [ BEGIN ] :: Sleeping more in case password has not synced :: actually running 'sleep 60' :: [ PASS ] :: Sleeping more in case password has not synced (Expected 0, got 0) :: [ BEGIN ] :: aduser1 is synced to IPA :: actually running 'ipa user-show aduser1 > /tmp/tmp.P5FGR7MRdA/tmpout.ipa_winsync_0005.out 2>&1' :: [ PASS ] :: aduser1 is synced to IPA (Expected 0, got 0) User login: aduser1 First name: aduser1 Last name: ads Home directory: /home/aduser1 Login shell: /bin/sh UID: 948200006 GID: 948200006 Account disabled: False Password: True Kerberos keys available: True :: [ PASS ] :: File '/tmp/tmp.P5FGR7MRdA/tmpout.ipa_winsync_0005.out' should contain 'Account disabled: False' :: [ PASS ] :: File '/tmp/tmp.P5FGR7MRdA/tmpout.ipa_winsync_0005.out' should contain 'Password: True' '26872341-a5b8-4d0c-9cc3-935685e779c7' ipa-winsync-0005-Create-user-alphanumeric-in-AD-and-verify-it-is-synced-to-IPA result: PASS Verified in ipa-server-4.1.0-16.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html |