Bug 1248405 - PassSync should be disabled after ipa-winsync-migrate is finished
PassSync should be disabled after ipa-winsync-migrate is finished
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
Depends On:
  Show dependency treegraph
Reported: 2015-07-30 04:38 EDT by Petr Vobornik
Modified: 2015-11-19 07:04 EST (History)
5 users (show)

See Also:
Fixed In Version: ipa-4.2.0-5.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-11-19 07:04:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2362 normal SHIPPED_LIVE ipa bug fix and enhancement update 2015-11-19 05:40:46 EST

  None (edit)
Description Petr Vobornik 2015-07-30 04:38:12 EDT
This bug is created as a clone of upstream ticket:

Without PassSync disabled, Active Directory controllers may still try to reset the user account passwords, even though they are already not there.

This warning/notice should be added to the tool itself and to the man pages.
Comment 3 Sudhir Menon 2015-09-30 06:21:39 EDT

Below are the obseravtions with respect to the testing done on the bug.
Can you please confirm that we are good here to mark this ticket verified if point 4 is expected behaviour.

1. Found that the replication agreement is setup properly between IPA and AD.
Winsync migrate command also runs without any error. Attaching the logs for reference.

2. The man page for ipa-winsync-migrate command list the required warning.

After the migration, any PassSync agreements need to be removed from Active Directory  Domain  Controllers,  otherwise  theymight attempt to update passwords for accounts that no longer exist on the IPA server.

3. ipa-winsync-migrate command when executed displays the warning as well.

ipa.ipaserver.install.ipa_winsync_migrate.WinsyncMigrate: WARNING: Migration completed. Please note that if PassSync was configured on the given Active Directory server, it needs to be manually removed, otherwise it may try to reset password for accounts that are no longer existent.

4. PassSync service on the Windows AD is not disabled (i.e the service is in running state) post winsync migration completion, is this expected?
Comment 4 Tomas Babej 2015-09-30 06:30:06 EDT
Yes, this is expected. We cannot disable the PassSync service on the AD automatically, hence we provide a warning to the admin instead.
Comment 5 Sudhir Menon 2015-09-30 06:32:16 EDT
Thanks Tomas,
Marking the bug verified as per above comment.
Comment 6 errata-xmlrpc 2015-11-19 07:04:50 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.