Red Hat Bugzilla – Bug 1248405
PassSync should be disabled after ipa-winsync-migrate is finished
Last modified: 2015-11-19 07:04:50 EST
This bug is created as a clone of upstream ticket:
Without PassSync disabled, Active Directory controllers may still try to reset the user account passwords, even though they are already not there.
This warning/notice should be added to the tool itself and to the man pages.
Below are the obseravtions with respect to the testing done on the bug.
Can you please confirm that we are good here to mark this ticket verified if point 4 is expected behaviour.
1. Found that the replication agreement is setup properly between IPA and AD.
Winsync migrate command also runs without any error. Attaching the logs for reference.
2. The man page for ipa-winsync-migrate command list the required warning.
After the migration, any PassSync agreements need to be removed from Active Directory Domain Controllers, otherwise theymight attempt to update passwords for accounts that no longer exist on the IPA server.
3. ipa-winsync-migrate command when executed displays the warning as well.
ipa.ipaserver.install.ipa_winsync_migrate.WinsyncMigrate: WARNING: Migration completed. Please note that if PassSync was configured on the given Active Directory server, it needs to be manually removed, otherwise it may try to reset password for accounts that are no longer existent.
4. PassSync service on the Windows AD is not disabled (i.e the service is in running state) post winsync migration completion, is this expected?
Yes, this is expected. We cannot disable the PassSync service on the AD automatically, hence we provide a warning to the admin instead.
Marking the bug verified as per above comment.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.