Bug 1797600

Summary: ipa-server-uninstall does not clean trust objects in AD LDAP if a trust was previously setup
Product: Red Hat Enterprise Linux 8 Reporter: François Cami <fcami>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: NEW --- QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: ---CC: abokovoy, pasik, rcritten, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: Ki
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description François Cami 2020-02-03 13:40:12 UTC 
Description of problem:
[reproduced on RHEL 7.6 / ipa-4-6 so far]

* install IDM
* configure AD trust
* add a trust to an AD forest
* search for trust objects in AD LDAP: they should be there
* uninstall the last IDM master
* check whether AD LDAP still has the trust objects


Version-Release number of selected component (if applicable):
ipa-server-4.6.4-10.el7.x86_64
ipa-server-trust-ad-4.6.4-10.el7.x86_64


How reproducible:
Always on RHEL 7.6 at least


Steps to Reproduce:
0. Have an AD Forest ready and create a forest trust from IDM: 
1. ipa-server-install
2. ipa-adtrust-install --add-sids  --add-agents -U
3. ipa trust-add --type=ad '<domain>' --admin '<AD admin>' --password --range-type=ipa-ad-trust
4. ipa-server-install --uninstall -U
5. Search for trust objects in AD LDAP:
- ldapsearch -x -h dc1.adexample.com  -D "administrator"  -W -b "dc=adexample,dc=com" '(flatname=IDM)' flatname
- ldapsearch -x -h dc1.adexample.com -D "administrator"  -W -b "dc=adexample,dc=com" '(samaccountname=IDM*)' samaccountname userAccountControl

Actual results:
$ ldapsearch -x -h dc1.adexample.com  -D "administrator"  -W -b "dc=adexample,dc=com" '(flatname=IDM)' flatname

# idm.adexample.com, System, adexample.com
dn: CN=idm.adexample.com,CN=System,DC=adexample,DC=com
flatName: IDM

$ ldapsearch -x -h dc1.adexample.com -D "administrator"  -W -b "dc=adexample,dc=com" '(samaccountname=IDM*)' samaccountname userAccountControl
Enter LDAP Password: 

# IDM$, Users, adexample.com
dn: CN=IDM$,CN=Users,DC=adexample,DC=com
userAccountControl: 2080
sAMAccountName: IDM$


Expected results:
None of the ldapsearches should find anything AD LDAP.
ipa-server-install --uninstall when executed on the last IDM Trust Agent should remove its trust agreements(s) early.
Comment 7 Florence Blanc-Renaud 2020-02-14 15:35:39 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux 7. Unfortunately, this bug cannot be kept even as a stretch goal and was postponed to RHEL8.