Bug 1248405

Summary: PassSync should be disabled after ipa-winsync-migrate is finished
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: ksiddiqu, pvoborni, rcritten, sumenon, tbabej
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-5.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:04:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2015-07-30 08:38:12 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5162

Without PassSync disabled, Active Directory controllers may still try to reset the user account passwords, even though they are already not there.

This warning/notice should be added to the tool itself and to the man pages.
Comment 1 Petr Vobornik 2015-08-17 15:51:57 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/025303987c93a48ea223c9bc8b70d143efcd9831
https://fedorahosted.org/freeipa/changeset/0f8ff007b4b0b4dfd22ede32f755621f7d325c82
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/fc62c135c877fd9b731b3a275b78ba30e29c4e08
https://fedorahosted.org/freeipa/changeset/5a9a8e2b09ada28d4f9a32eb833ffdc30d099fd0
Comment 3 Sudhir Menon 2015-09-30 10:21:39 UTC 
Petr,

Below are the obseravtions with respect to the testing done on the bug.
Can you please confirm that we are good here to mark this ticket verified if point 4 is expected behaviour.

1. Found that the replication agreement is setup properly between IPA and AD.
Winsync migrate command also runs without any error. Attaching the logs for reference.

2. The man page for ipa-winsync-migrate command list the required warning.

WARNINGS
After the migration, any PassSync agreements need to be removed from Active Directory  Domain  Controllers,  otherwise  theymight attempt to update passwords for accounts that no longer exist on the IPA server.

3. ipa-winsync-migrate command when executed displays the warning as well.

ipa.ipaserver.install.ipa_winsync_migrate.WinsyncMigrate: WARNING: Migration completed. Please note that if PassSync was configured on the given Active Directory server, it needs to be manually removed, otherwise it may try to reset password for accounts that are no longer existent.

4. PassSync service on the Windows AD is not disabled (i.e the service is in running state) post winsync migration completion, is this expected?
Comment 4 Tomas Babej 2015-09-30 10:30:06 UTC 
Yes, this is expected. We cannot disable the PassSync service on the AD automatically, hence we provide a warning to the admin instead.
Comment 5 Sudhir Menon 2015-09-30 10:32:16 UTC 
Thanks Tomas,
Marking the bug verified as per above comment.
Comment 6 errata-xmlrpc 2015-11-19 12:04:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html