Bug 949362

Summary: posix winsync will not create memberuid values if group entry become posix group in the same sync interval
Product: Red Hat Enterprise Linux 7 Reporter: Nathan Kinder <nkinder>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: jgalipea, mkubik, nhosoi, sramling
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.1.2-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:12:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nathan Kinder 2013-04-08 01:35:00 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/550

posix winsync plugin can create memberUid values according the uniquemember values.
prerequisite is that the group is already a posix group. 
Will add the posix attributes (gid) and the group members on the AD on the same time, so it occurs in the same sync interval and the memberUid values will not generated.

Workaround:
1. On a new group add first the GID on AD, wait until the GID is added on DS and add then members to the group on AD.
or
2. Schedule a memberuid task
or
3. do a full resync

I will work on this issue.
Comment 1 Rich Megginson 2013-10-01 23:24:37 UTC 
moving all ON_QA bugs to MODIFIED in order to add them to the errata (can't add bugs in the ON_QA state to an errata).  When the errata is created, the bugs should be automatically moved back to ON_QA.
Comment 3 Milan KubĂ­k 2014-02-21 18:32:48 UTC 
389-ds-base-1.3.1.6-19.el7 
Windows Server 2008 R2 Enterprise
setup without password sync

$ ldapsearch -x -D "cn=directory manager" -LLL -w Secret123 -b "cn=plugins,cn=config" "cn=posix*" posixwinsyncmapmemberuid posixwinsynccreatememberoftask
dn: cn=Posix Winsync API,cn=plugins,cn=config
posixwinsyncmapmemberuid: true
posixwinsynccreatememberoftask: false


$ ldapsearch -x -D "cn=directory manager" -LLL -w Secret123 -b "cn=plugins,cn=config" "cn=memberof plugin" memberofgroupattr
dn: cn=MemberOf Plugin,cn=plugins,cn=config
memberofgroupattr: member
memberofgroupattr: uniquemember

$ cat nonposix.ldif 
dn: cn=nonposix,ou=pwd,dc=example,dc=com
changetype: modify
add: member
member: CN=leonardo da vinci,OU=pwd,DC=example,DC=com
-
add: objectclass
objectclass: posixGroup
-
add: gidNumber
gidNumber: 42

$ ldapmodify -x -D "cn=administrator,cn=users,dc=example,dc=com" -w NewPassword1234 -h windir.example.com -f nonposix.ldif

$ ldapsearch -xLLL -D "cn=directory manager" -w Secret123 -b "dc=example,dc=com" "cn=nonposix" 
dn: cn=nonposix,ou=People,dc=example,dc=com
objectClass: top
objectClass: groupofuniquenames
objectClass: ntGroup
objectClass: posixGroup
gidNumber: 42
uniqueMember: uid=ldavinci,ou=People,dc=example,dc=com
ntGroupDeleteGroup: true
cn: nonposix
description: initially nonposix group
ntUserDomainId: nonposix
ntGroupType: -2147483646
ntUniqueId: 39fe385de45b844c9e76a2ee3b875312

$ ldapsearch -xLLL -D "cn=directory manager" -w Secret123 -b "dc=example,dc=com" "uid=ldavinci"
dn: uid=ldavinci,ou=People,dc=example,dc=com
memberOf: cn=nonposix,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetOrgPerson
objectClass: ntUser
objectClass: inetUser
ntUserDeleteAccount: true
uid: ldavinci
sn: da vinci
givenName: leonardo
cn: leonardo da vinci
ntUserCodePage: 0
ntUserAcctExpires: 9223372036854775807
ntUserDomainId: ldavinci
ntUniqueId: 867ae3219b726247b29a5cc3431a6651

The memberOf and gidNumber attributes were created/synced correctly. Marking as verified.
Comment 4 Ludek Smid 2014-06-13 11:12:39 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.