Bug 755436

Summary: uidNumber and gidNumber are not synced from Active Directory during winsync operation.
Product: Red Hat Enterprise Linux 7 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED WONTFIX QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: dpal, jgalipea, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-02 10:50:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gowrishankar Rajaiyan 2011-11-21 06:22:37 UTC 
Description of problem:
During system integration test day for ipa, atolani found that uidNumber and gidNumber from Active Directory did not get synced during a winsync operation. Thanks to atolani for reporting this.


Version-Release number of selected component (if applicable):
ipa-server-2.1.3-9.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create user in AD with a specific uidNumber. (1000099999 in this case)
[root@decepticons ~]# ldapsearch -LLL -x -h dhcp201-112.englab.pnq.redhat.com -D "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" -w Secret123 -b "CN=user4 4. user4,CN=Users,dc=englab,dc=pnq,dc=redhat,dc=com" uidNumber gidNumber unixHomeDirectory loginShell
dn: CN=user4 4. user4,CN=Users,DC=englab,DC=pnq,DC=redhat,DC=com
uidNumber: 1000099999
gidNumber: 1000099999
unixHomeDirectory: /home/userfour
loginShell: /bin/bash


2. Perform sync operation.
ipa-replica-manage connect --winsync --passsync=password --cacert=/root/wincertnew.cer dhcp201-112.englab.pnq.redhat.com --binddn "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw Secret123 -v -p Secret123

3. Verify on ipa server with "ipa user-show user4 --all --raw"
  

Actual results: uidNumber and gidNumber are not synced and are assigned from IPA  servers range. 
[root@decepticons ~]# ipa user-show user4 --all --raw
  dn: uid=user4,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  uid: user4
  givenname: user4
  sn: user4
  cn: user4 4. user4
  initials: 4
  homedirectory: /home/user4               <<<<<<<<<<<<<<<
  gecos: user4 4. user4
  loginshell: /bin/sh               <<<<<<<<<<<<<<<
  krbprincipalname: user4.PNQ.REDHAT.COM
  uidnumber: 1814400123               <<<<<<<<<<<<<<<
  gidnumber: 1814400123               <<<<<<<<<<<<<<<
  nsaccountlock: False
  has_keytab: False
  has_password: False
  ipauniqueid: cd8e36c0-1406-11e1-90cf-525400f56e2e
  mepmanagedentry: cn=user4,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  ntuniqueid: f016a60c20bff0469fab24cd015f2a93
  ntuseracctexpires: 9223372036854775807
  ntusercodepage: MA==
  ntuserdeleteaccount: true
  ntuserdomainid: user4
  objectclass: top
  objectclass: person
  objectclass: organizationalperson
  objectclass: inetOrgPerson
  objectclass: ntUser
  objectclass: inetuser
  objectclass: posixaccount
  objectclass: krbprincipalaux
  objectclass: krbticketpolicyaux
  objectclass: ipaobject
  objectclass: mepOriginEntry
[root@decepticons ~]#

Expected results:
uidNumber and gidNumber are synced from Active Directory.

Additional info: See the same behavior with "login shell" and "home directory".
Comment 2 Dmitri Pal 2011-11-22 16:14:04 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2133
Comment 3 Dmitri Pal 2011-12-09 20:05:44 UTC 
Corresponding DS enhancement request https://bugzilla.redhat.com/show_bug.cgi?id=765986
Comment 7 Martin Kosek 2013-10-25 11:32:15 UTC 
Upstream ticket https://fedorahosted.org/freeipa/ticket/2133 was closed as a duplicate to https://fedorahosted.org/freeipa/ticket/3007.

Apparently, this RFE was already fixed upstream and thus will be part of 7.0 rebase.
Comment 8 Martin Kosek 2013-10-29 15:41:15 UTC 
This feature was further investigated and we were not confident that it is indeed in a shape ready for production release in 7.0. Moving back to 7.1. I filed Bug 1024411 to clearly document IPA AD integration options, what are the use cases and options.
Comment 9 Martin Kosek 2014-10-02 10:50:04 UTC 
This issue is clearly documented, as stated in

https://bugzilla.redhat.com/show_bug.cgi?id=1024411#c1

IdM has other means to handle POSIX data from AD, like Trusts with POSIX type (http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD) or ID Views (Bug 891984)!

Closing this bug as WONTFIX then. Please reopen if there is a disagreement or confusion with other proposed IdM options.