Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1181093 - PassSync does not sync passwords due to missing ACIs
PassSync does not sync passwords due to missing ACIs
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.1
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-12 06:15 EST by Steeve Goveas
Modified: 2016-01-27 08:56 EST (History)
3 users (show)

See Also:
Fixed In Version: ipa-4.1.0-16.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-05 05:19:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Directory Server access logs (235.14 KB, application/x-gzip)
2015-01-13 08:35 EST, Steeve Goveas
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 09:50:39 EST

  None (edit)
Description Steeve Goveas 2015-01-12 06:15:43 EST
Description of problem:
Password of AD user is not syncing to IPA

Version-Release number of selected component (if applicable):
[root@sideswipe ~]# rpm -q ipa-server 389-ds-base
ipa-server-4.1.0-13.el7.x86_64
389-ds-base-1.3.3.1-11.el7.x86_64


How reproducible:


Steps to Reproduce:
1. Install IPA
2. Create winsync agreement
3. Add new user on AD and set password
4. Reset password of existing user
5. Passwords in above cases should sync on IPA server

Actual results:
[root@sideswipe ~]# hostname
sideswipe.ipasync.test

[root@sideswipe ~]# ipa user-show aduser1
  User login: aduser1
  First name: ads
  Last name: user
  Home directory: /home/aduser1
  Login shell: /bin/sh
  Email address: aduser1@testrelm.test
  UID: 184400014
  GID: 184400014
  Telephone Number: 66778839
  Account disabled: False
  Password: False
  Kerberos keys available: False

Logs on resetting password on AD

01/12/15 16:38:50: Received passhook event.  Attempting sync
01/12/15 16:38:50: 1 new entries loaded from data file
01/12/15 16:38:50: Cleared contents of data file
01/12/15 16:38:50: Password list has 2 entries
01/12/15 16:38:51: Attempting to sync password for frank
01/12/15 16:38:51: Searching for (ntuserdomainid=frank)
01/12/15 16:38:51: There are no entries that match: frank
01/12/15 16:38:51: Deferring password change for frank
01/12/15 16:38:51: Attempting to sync password for aduser1
01/12/15 16:38:51: Searching for (ntuserdomainid=aduser1)
01/12/15 16:38:51: There are no entries that match: aduser1
01/12/15 16:38:51: Deferring password change for aduser1
01/12/15 16:38:51: Backing off for 2000ms
01/12/15 16:38:53: Backoff time expired.  Attempting sync
01/12/15 16:38:53: Password list has 2 entries
01/12/15 16:38:53: Attempting to sync password for frank
01/12/15 16:38:53: Searching for (ntuserdomainid=frank)
01/12/15 16:38:53: There are no entries that match: frank
01/12/15 16:38:53: Deferring password change for frank
01/12/15 16:38:53: Attempting to sync password for aduser1
01/12/15 16:38:53: Searching for (ntuserdomainid=aduser1)
01/12/15 16:38:53: There are no entries that match: aduser1
01/12/15 16:38:53: Deferring password change for aduser1
01/12/15 16:38:53: Backing off for 4000ms
01/12/15 16:38:57: Backoff time expired.  Attempting sync
01/12/15 16:38:57: Password list has 2 entries
01/12/15 16:38:57: Attempting to sync password for frank
01/12/15 16:38:57: Searching for (ntuserdomainid=frank)
01/12/15 16:38:57: There are no entries that match: frank
01/12/15 16:38:57: Deferring password change for frank
01/12/15 16:38:57: Attempting to sync password for aduser1
01/12/15 16:38:57: Searching for (ntuserdomainid=aduser1)
01/12/15 16:38:57: There are no entries that match: aduser1
01/12/15 16:38:57: Deferring password change for aduser1
01/12/15 16:38:57: Backing off for 8000ms


Expected results:
Passwords must sync on IPA server

Additional info:
Comment 3 Martin Kosek 2015-01-13 08:16:55 EST
It is probably related to the PermissionV2 feature which did ACI changes. Can you please provide Directory Server access log? It should contain the query that PassSync used to query the users.
Comment 4 Martin Kosek 2015-01-13 08:17:11 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4837
Comment 5 Steeve Goveas 2015-01-13 08:35:36 EST
Created attachment 979622 [details]
Directory Server access logs

Attaching directory server access logs.
Comment 6 Martin Kosek 2015-01-14 03:17:57 EST
Thanks. This is indeed a regression, we are working on a fix.
Comment 10 Steeve Goveas 2015-01-23 09:01:41 EST
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_winsync_0005: Create user (alphanumeric) in AD and verify it is synced to IPA
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Generate ldif file to add user aduser1 :: actually running 'ADuser_ldif aduser1 ads aduser1 Secret123 512 add'
:: [   PASS   ] :: Generate ldif file to add user aduser1 (Expected 0, got 0)
:: [  BEGIN   ] :: Adding new user in AD aduser1 :: actually running 'ldapmodify -ZZ -h squab.adrelm.com -D "CN=Administrator,CN=Users,DC=adrelm,DC=com" -w Secret123 -f ADuser.ldif'
adding new entry "CN=aduser1 ads,CN=Users,DC=adrelm,DC=com"

:: [   PASS   ] :: Adding new user in AD aduser1 (Expected 0, got 0)
:: [  BEGIN   ] :: Sleeping for sync interval :: actually running 'sleep 30'

MARK-LWD-LOOP -- 2015-01-23 02:12:26 --
:: [   PASS   ] :: Sleeping for sync interval (Expected 0, got 0)
:: [  BEGIN   ] :: aduser1 is synced to IPA :: actually running 'ipa user-show aduser1 > /tmp/tmp.P5FGR7MRdA/tmpout.ipa_winsync_0005.out 2>&1'
:: [   PASS   ] :: aduser1 is synced to IPA (Expected 0, got 0)
  User login: aduser1
  First name: aduser1
  Last name: ads
  Home directory: /home/aduser1
  Login shell: /bin/sh
  UID: 948200006
  GID: 948200006
  Account disabled: False
  Password: True
  Kerberos keys available: True
:: [   PASS   ] :: File '/tmp/tmp.P5FGR7MRdA/tmpout.ipa_winsync_0005.out' should contain 'Account disabled: False' 
:: [  BEGIN   ] :: Sleeping more in case password has not synced :: actually running 'sleep 60'
:: [   PASS   ] :: Sleeping more in case password has not synced (Expected 0, got 0)
:: [  BEGIN   ] :: aduser1 is synced to IPA :: actually running 'ipa user-show aduser1 > /tmp/tmp.P5FGR7MRdA/tmpout.ipa_winsync_0005.out 2>&1'
:: [   PASS   ] :: aduser1 is synced to IPA (Expected 0, got 0)
  User login: aduser1
  First name: aduser1
  Last name: ads
  Home directory: /home/aduser1
  Login shell: /bin/sh
  UID: 948200006
  GID: 948200006
  Account disabled: False
  Password: True
  Kerberos keys available: True
:: [   PASS   ] :: File '/tmp/tmp.P5FGR7MRdA/tmpout.ipa_winsync_0005.out' should contain 'Account disabled: False' 
:: [   PASS   ] :: File '/tmp/tmp.P5FGR7MRdA/tmpout.ipa_winsync_0005.out' should contain 'Password: True' 
'26872341-a5b8-4d0c-9cc3-935685e779c7'
ipa-winsync-0005-Create-user-alphanumeric-in-AD-and-verify-it-is-synced-to-IPA result: PASS

Verified in
ipa-server-4.1.0-16.el7.x86_64
Comment 12 errata-xmlrpc 2015-03-05 05:19:21 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.