Bug 740081

Summary: Allow sync of "pseudo-user" accounts
Product: [Retired] 389 Reporter: Rich Megginson <rmeggins>
Component: Sync ServiceAssignee: Rich Megginson <rmeggins>
Status: CLOSED DEFERRED QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.2.9CC: nhosoi, poelstra, rcritten, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 19:27:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 495079, 690319    

Description Rich Megginson 2011-09-20 20:58:21 UTC 
Description of problem:
There are "pseudo-user" accounts in AD that have mostly "user" objectclass schema but are missing required attributes in DS, such as the "sn" attribute.  There may be some cases where we want to allow the user to sync these entries:

"I think it might be clearer if we synchronized all accounts that do not use built-in SIDs (reserved) and are in the correct cn / ou since there is no such things as a 'psuedo user' in AD.  There may be cases where it is desirable for application users to sync, for example a user used for monitoring could log in from an application server to Linux / Windows with the same account.  This user might not have all the attributes that a real person would have."

We could fill in the missing values in several ways:
1) hard coded value ("Missing Surname")
2) set value to use in winsync agreement entry
winsyncMissing: sn Missing Surname
or
winsyncMissing: sn $displayName
or
winsyncMissing: sn (objectclass=ipaWinsyncConfig) sn
the last is similar to what the ipa-winsync plugin does for missing posix attributes.

The list of well-known SIDs/RIDs is found here - http://git.samba.org/?p=samba.git;a=blob;f=librpc/idl/security.idl;h=2b6efc5318480606f19f6fe25976fe9514114fbc;hb=master
Comment 1 Simo Sorce 2011-09-20 21:05:43 UTC 
Any RID below 1000 belongs to wellknown SIDs

But I am not sure you can use that to weed out users/groups.

Here you can find a list of SIDs/RIDS that are wellknown:
http://git.samba.org/?p=samba.git;a=blob;f=librpc/idl/security.idl;h=2b6efc5318480606f19f6fe25976fe9514114fbc;hb=master

start at line 200ish
Comment 2 Rich Megginson 2011-10-17 21:14:08 UTC 
Simo, is this a 6.3 feature?  If not, then when?
Comment 3 Simo Sorce 2011-10-17 21:41:47 UTC 
I don't know, we do not use winsync for our ad trust plans which are the driver for 3.0
Comment 4 Rich Megginson 2011-10-17 21:47:05 UTC 
(In reply to comment #3)
> I don't know, we do not use winsync for our ad trust plans which are the driver
> for 3.0

So can we mark this as CLOSED WONTFIX?
Comment 5 Rich Megginson 2011-10-19 19:41:01 UTC 
Would still be a good enhancement until we can completely scrap winsync.
Comment 8 Martin Kosek 2012-01-04 13:21:27 UTC 
Upstream ticket:
https://fedorahosted.org/389/ticket/30
Comment 10 Noriko Hosoi 2015-11-19 19:27:54 UTC 
Closing this bug since we moved to the ticket system:
https://fedorahosted.org/389/ticket/30