Red Hat Bugzilla – Bug 1016038
Users from AD sub OU does not sync to IPA
Last modified: 2015-02-14 09:15:46 EST
[root@dhcp207-25 ~]# yum intall ipa-server Dependencies Resolved =================================================================================================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================================================================================================== Installing: ipa-server x86_64 3.0.0-37.el6 ipa-latest 1.1 M Installing for dependencies: 389-ds-base x86_64 1.2.11.15-28.el6 errata-15403 1.5 M ipa-server-selinux x86_64 3.0.0-37.el6 ipa-latest 63 k slapi-nis x86_64 0.40-4.el6 rhel-latest 100 k Transaction Summary =================================================================================================================================================================================================================== Install 4 Package(s) Total download size: 2.7 M Installed size: 9.4 M Is this ok [y/N]: y * Listing OU, sub OU and its users [root@dhcp207-25 ~]# ldapsearch -LLLx -ZZ -h squab.adrelm.com -D "CN=Administrator,CN=Users,DC=adrelm,DC=com" -w Secret123 -b "OU=level1,DC=adrelm,DC=com" dn dn: OU=level1,DC=adrelm,DC=com dn: OU=sub-level1,OU=level1,DC=adrelm,DC=com dn: CN=sub1user2 ads,OU=sub-level1,OU=level1,DC=adrelm,DC=com dn: CN=sub1user3 ads,OU=sub-level1,OU=level1,DC=adrelm,DC=com dn: CN=l1user ads,OU=level1,DC=adrelm,DC=com [root@dhcp207-25 ~]# ipa user-find -------------- 1 user matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 1419000000 GID: 1419000000 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 1 ---------------------------- [root@dhcp207-25 ~]# ipa-replica-manage connect --winsync --passsync=password --cacert=/tmp/tmp.ZtZE5tgbD4/ADcert.cer squab.adrelm.com --binddn "CN=Administrator,CN=Users,DC=adrelm,DC=com" --bindpw Secret123 -v -p Secret123 --win-subtree="OU=level1,DC=adrelm,DC=com" Added CA certificate /tmp/tmp.ZtZE5tgbD4/ADcert.cer to certificate database for dhcp207-25.testrelm.com ipa: INFO: AD Suffix is: DC=adrelm,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=testrelm,dc=com ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress Update succeeded Connected 'dhcp207-25.testrelm.com' to 'squab.adrelm.com' * Users from Sub OU synced to IPA [root@dhcp207-25 ~]# ipa user-find | egrep 'User login|Account disabled|Password' User login: admin Account disabled: False Password: True User login: l1user Account disabled: False Password: False User login: sub1user2 Account disabled: False Password: False User login: sub1user3 Account disabled: False Password: False * Reset passwords on AD. OU and sub OU users passwords synced. [root@dhcp207-25 ~]# ipa user-find | egrep 'User login|Account disabled|Password' User login: admin Account disabled: False Password: True User login: l1user Account disabled: False Password: True User login: sub1user2 Account disabled: False Password: True User login: sub1user3 Account disabled: False Password: True * Verified in version [root@dhcp207-25 ~]# rpm -q 389-ds-base ipa-server 389-ds-base-1.2.11.15-28.el6.x86_64 ipa-server-3.0.0-37.el6.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1653.html