Bug 798352

Summary: winsync now does not fill gidnumber
Product: Red Hat Enterprise Linux 6 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: jgalipea, mkosek, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-5.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:19:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Rob Crittenden 2012-02-28 17:42:26 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2436

Ticket #2238 changed ipa default user group `ipausers` to non-posix. This, however, conflicts with our winsync synchronization which now creates non-posix IPA users with no GID number. Such users are then also not shown in `ipa user-find` command.

dirsrv error_log reports following errors:
{{{
[root@vm-068 freeipa-stable]# tail -f /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/errors
[23/Feb/2012:10:49:49 -0500] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=meTodhcp201-112.englab.pnq.redhat.com" (dhcp201-112:389)". Sent 8 entries.
[23/Feb/2012:10:50:06 -0500] ipa_winsync_config_refresh_domain - [file ipa-winsync-config.c, line 923]: Error: could not find the entry containing the default gidNumber ds subtree [cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com] filter [(cn=ipaConfig)] attr [gidNumber]
[23/Feb/2012:10:50:06 -0500] ipa_winsync_config_refresh_domain - [file ipa-winsync-config.c, line 923]: Error: could not find the entry containing the default gidNumber ds subtree [cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com] filter [(cn=ipaConfig)] attr [gidNumber]
[23/Feb/2012:10:54:39 -0500] ipa_winsync_config_refresh_domain - [file ipa-winsync-config.c, line 923]: Error: could not find the entry containing the default gidNumber ds subtree [cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com] filter [(cn=ipaConfig)] attr [gidNumber]
...
}}}

If ipausers group is made a posix group again, users are created with a GID number. We may want to either make `ipa-replica-manage` to report this situation to user before an agreement is created so that he can make ipausers a posix group or fix ipa-winsync plugin to not require this GID since AD users have private groups by default.

This ticket may be connected with #2324.
Comment 1 Martin Kosek 2012-03-15 08:58:37 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/51601ac794ce589981c0cc3501d91518cea27f15
ipa-2-2: https://fedorahosted.org/freeipa/changeset/16918715dd4b964d5d861a3075b356918034e908
Comment 4 Martin Kosek 2012-04-24 13:30:28 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 5 Steeve Goveas 2012-04-25 14:01:26 UTC 
default behavior :: user synced, UPG created and user's GID number set to UPG GID which should be the same as their UID and user is not added ipausers group

[root@primenova ~]# ipa user-find steeve
---------------
2 users matched
---------------
  User login: steeve
  First name: steeve
  Last name: ad
  Home directory: /home/steeve
  Login shell: /bin/sh
  UID: 1084800079
  GID: 1084800079
  Account disabled: False
  Password: True
  Kerberos keys available: True

  User login: steeve2
  First name: steeve2
  Last name: ads
  Home directory: /home/steeve2
  Login shell: /bin/sh
  UID: 1084800166
  GID: 1084800166
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 2
----------------------------
[root@primenova ~]#


[root@primenova ~]# ipa-managed-entries -e "UPG Definition" status
Plugin Enabled
[root@primenova ~]#

[root@primenova ~]# ipa group-find ipausers
---------------
1 group matched
---------------
  Group name: ipausers
  Description: Default group for all users
  Member users: shanksipa
----------------------------
Number of entries returned 1
----------------------------
[root@primenova ~]#

Verified in version ipa-server-2.2.0-11.el6.x86_64
Comment 7 errata-xmlrpc 2012-06-20 13:19:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html