| Summary: | Allow sync of "pseudo-user" accounts | ||
|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | Rich Megginson <rmeggins> |
| Component: | Sync Service | Assignee: | Rich Megginson <rmeggins> |
| Status: | CLOSED DEFERRED | QA Contact: | Ben Levenson <benl> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 1.2.9 | CC: | nhosoi, poelstra, rcritten, ssorce |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 19:27:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 495079, 690319 | ||
Any RID below 1000 belongs to wellknown SIDs But I am not sure you can use that to weed out users/groups. Here you can find a list of SIDs/RIDS that are wellknown: http://git.samba.org/?p=samba.git;a=blob;f=librpc/idl/security.idl;h=2b6efc5318480606f19f6fe25976fe9514114fbc;hb=master start at line 200ish Simo, is this a 6.3 feature? If not, then when? I don't know, we do not use winsync for our ad trust plans which are the driver for 3.0 (In reply to comment #3) > I don't know, we do not use winsync for our ad trust plans which are the driver > for 3.0 So can we mark this as CLOSED WONTFIX? Would still be a good enhancement until we can completely scrap winsync. Upstream ticket: https://fedorahosted.org/389/ticket/30 Closing this bug since we moved to the ticket system: https://fedorahosted.org/389/ticket/30 |
Description of problem: There are "pseudo-user" accounts in AD that have mostly "user" objectclass schema but are missing required attributes in DS, such as the "sn" attribute. There may be some cases where we want to allow the user to sync these entries: "I think it might be clearer if we synchronized all accounts that do not use built-in SIDs (reserved) and are in the correct cn / ou since there is no such things as a 'psuedo user' in AD. There may be cases where it is desirable for application users to sync, for example a user used for monitoring could log in from an application server to Linux / Windows with the same account. This user might not have all the attributes that a real person would have." We could fill in the missing values in several ways: 1) hard coded value ("Missing Surname") 2) set value to use in winsync agreement entry winsyncMissing: sn Missing Surname or winsyncMissing: sn $displayName or winsyncMissing: sn (objectclass=ipaWinsyncConfig) sn the last is similar to what the ipa-winsync plugin does for missing posix attributes. The list of well-known SIDs/RIDs is found here - http://git.samba.org/?p=samba.git;a=blob;f=librpc/idl/security.idl;h=2b6efc5318480606f19f6fe25976fe9514114fbc;hb=master