Bug 694336

Summary: Group sync hangs Windows initial Sync
Product: [Retired] 389 Reporter: Diego Woitasen <diego>
Component: Sync ServiceAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: high Docs Contact:
Priority: high    
Version: 1.2.8CC: amsharma
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 698368 (view as bug list) Environment:
Last Closed: 2015-12-07 17:03:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 434915, 698368, 708096    
Attachments:
Description Flags
Prevents userAccountControl modify for groups
none
Prevents userAccountControl modify for groups (v2) none

Description Diego Woitasen 2011-04-07 01:50:29 UTC 
Description of problem:
When you setup users and groups Sync, the syncronization fails with an "operation error". I sniffed the traffic between 389 DS and Windows (2003) and discovered that the first group is created but after that, there is an error on a modify operation. 389 DS is trying to add the userAccountControl attribute to the group and Windows replies with "object class violation".

I've searched in the web and it looks like userAccountControl is only for users, not for groups. Looking at the Windows Sync code it looks like 389 DS always add that attribute for bot


Version-Release number of selected component (if applicable):
1.2.8.rc4
Comment 1 Diego Woitasen 2011-04-09 18:14:21 UTC 
Created attachment 490983 [details]
Prevents userAccountControl modify for groups
Comment 2 Diego Woitasen 2011-04-09 22:06:35 UTC 
Comment on attachment 490983 [details]
Prevents userAccountControl modify for groups

There is small bug in this patch, use the other one.
Comment 3 Diego Woitasen 2011-04-09 22:07:17 UTC 
Created attachment 491013 [details]
Prevents userAccountControl modify for groups (v2)
Comment 6 Rich Megginson 2011-04-28 19:36:39 UTC 
To ssh://git.fedorahosted.org/git/389/ds.git
   ff7be17..c2c82cb  master -> master
commit c2c82cb46417f033f5a8e1bb2cef58cfb29e82b6
Author: Rich Megginson <rmeggins>
Date:   Thu Apr 28 13:29:55 2011 -0600
    Reviewed by: rmeggins (Author: diego.ar)
    Branch: master
    Fix Description: winsync was getting back an error 65 (object class violatio
    attempting to add the userAccountControl attribute to a group entry.
    Only do this for user entries.  I modified the patch slightly to change the
    formatting, and to use "is_user" rather than "!is_group" to test whether
    or not to send the userAccountControl attribute.
    Platforms tested: RHEL6 x86_64, Windows 2008 r2
    Flag Day: no
    Doc impact: no
To ssh://git.fedorahosted.org/git/389/ds.git
   96c7f67..3bb70c1  389-ds-base-1.2.8 -> 389-ds-base-1.2.8
commit 3bb70c18739f8f7a04a2382ae7ffcb7d7bc68ec9
Author: Rich Megginson <rmeggins>
Date:   Thu Apr 28 13:29:55 2011 -0600