Bug 924937

Summary: Attribute "dsOnlyMemberUid" not allowed when syncing nested posix groups from AD with posixWinsync
Product: Red Hat Enterprise Linux 7 Reporter: Ján Rusnačko <jrusnack>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: low    
Version: 7.1CC: nhosoi, nkinder, sramling, vashirov
Target Milestone: rc   
Target Release: 7.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.3.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 09:30:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ján Rusnačko 2013-03-22 21:15:14 UTC 
Description of problem:
PosixWinsync plugin keeps posix attributes in sync between DS and AD. One of configuration options for this plugin is posixWinsyncMapMemberUID, which attempts to populate the memberUid attribute in 389 if it is missing from AD, based on the member attribute. Default for this attribute is TRUE. However, if this attribute is enabled, plugin fails to correctly synchronize nested posix group.

Version-Release number of selected component (if applicable):
389-ds-base-1.2.11.15-11 on RHEL 6.4

How reproducible:
always

Steps to Reproduce:
1. Set posixWinsyncMapMemberUid to TRUE for Posix Winsync API plugin.
2. Add a posix group(group1) on AD.
3. Add another posix group(groups2) with member as group1. Basically, you are testing nested groups.
4. When the group is synced(trying to sync) to DS, it throws this error message - Entry "cn=adg_posix_t13_00,ou=dswinsync,dc=passsync,dc=com" -- attribute "dsOnlyMemberUid" not allowed

==> /var/log/dirsrv/slapd-M1/errors <==
[22/Mar/2013:14:12:35 -0400] - Entry "cn=adg_posix_t13_00,ou=dswinsync,dc=passsync,dc=com" -- attribute "dsOnlyMemberUid" not allowed
[22/Mar/2013:14:12:36 -0400] - Entry "cn=adg_posix_t13_01,ou=dswinsync,dc=passsync,dc=com" -- attribute "dsOnlyMemberUid" not allowed
[22/Mar/2013:14:12:36 -0400] - Entry "cn=adg_posix_t13_02,ou=dswinsync,dc=passsync,dc=com" -- attribute "dsOnlyMemberUid" not allowed 

The corresponding AD entry looks like this...

[root@intel-piketon-01 MMR_WINSYNC]# /usr/lib64/mozldap/ldapsearch -Z -P /etc/dirsrv/slapd-M1/cert8.db -h win2k8rhvd64.win2k8sync64.com -p 636 -D "cn=SyncManager,cn=Users,dc=win2k8sync64,dc=com" -w Secret123 -b cn=adg_posix_t13_01,ou=adpasssync,dc=win2k8sync64,dc=com objectClass=*
version: 1
dn: CN=adg_posix_t13_01,OU=adpasssync,DC=win2k8sync64,DC=com
objectClass: top
objectClass: posixGroup
objectClass: group
cn: adg_posix_t13_01
member: CN=adg_posix_t13,OU=adpasssync,DC=win2k8sync64,DC=com
distinguishedName: CN=adg_posix_t13_01,OU=adpasssync,DC=win2k8sync64,DC=com
instanceType: 4
whenCreated: 20130322181406.0Z
whenChanged: 20130322181406.0Z
uSNCreated: 426380
uSNChanged: 426383
name: adg_posix_t13_01
objectGUID:: ar229MRn8E+UaCdTwlVPHA==
objectSid:: AQUAAAAAAAUVAAAAwfmfzEa6cJsGbjjEcFAAAA==
sAMAccountName: adg_posix_t13_01
sAMAccountType: 268435457
groupType: 2
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=win2k8sync64,DC=com
dSCorePropagationData: 16010101000000.0Z
gidNumber: 3933 

Additional info:
This issue was originally reported by Milan Kubik and discovered as part of posix Winsync automation. It is automated and corresponds to /scripts/MMR_WINSYNC/posix_sync_manual.sh testcase bug847868_13.
Comment 1 Nathan Kinder 2013-04-01 22:08:49 UTC 
Upstream ticket:
https://fedorahosted.org/389/ticket/47310
Comment 3 Viktor Ashirov 2015-01-19 02:27:24 UTC 
$ rpm -qa | grep 389
389-ds-base-debuginfo-1.3.3.1-11.el7.x86_64
389-ds-base-libs-1.3.3.1-11.el7.x86_64
389-ds-base-1.3.3.1-11.el7.x86_64

Using test case bug847868_13 I added posix groups on AD:

dn: CN=adg_posix_t13_00,OU=adsync,DC=adrelm,DC=com
objectClass: top
objectClass: posixGroup
objectClass: group
cn: adg_posix_t13_00
member: CN=adg_posix_t13,OU=adsync,DC=adrelm,DC=com
distinguishedName: CN=adg_posix_t13_00,OU=adsync,DC=adrelm,DC=com
instanceType: 4
whenCreated: 20150119021429.0Z
whenChanged: 20150119021429.0Z
uSNCreated: 32944
uSNChanged: 32947
name: adg_posix_t13_00
objectGUID:: I0ToPFoDcEi46e5tB9O2tA==
objectSid:: AQUAAAAAAAUVAAAAiiwF82aDDckPUPdEmwQAAA==
sAMAccountName: adg_posix_t13_00
sAMAccountType: 268435457
groupType: 2
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=adrelm,DC=com
dSCorePropagationData: 16010101000000.0Z
gidNumber: 3933


Corresponding entry in DS after sync:

dn: cn=adg_posix_t13_00,ou=People,dc=example,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: ntGroup
objectclass: posixGroup
objectclass: dynamicGroup
ntGroupDeleteGroup: true
cn: adg_posix_t13_00
uniqueMember: cn=adg_posix_t13,ou=People,dc=example,dc=com
ntUserDomainId: adg_posix_t13_00
ntGroupType: 2
ntUniqueId: 2344e83c5a037048b8e9ee6d07d3b6b4
gidNumber: 3933
dsOnlyMemberUid: adu_posix_t13
memberUid: adu_posix_t13


objectClass dynamicGroup was added to allow dsOnlyMemberUid attribute, no errors in the error log.
Marking as VERIFIED.
Comment 5 errata-xmlrpc 2015-03-05 09:30:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html