Description of problem: [reproduced on RHEL 7.6 / ipa-4-6 so far] * install IDM * configure AD trust * add a trust to an AD forest * search for trust objects in AD LDAP: they should be there * uninstall the last IDM master * check whether AD LDAP still has the trust objects Version-Release number of selected component (if applicable): ipa-server-4.6.4-10.el7.x86_64 ipa-server-trust-ad-4.6.4-10.el7.x86_64 How reproducible: Always on RHEL 7.6 at least Steps to Reproduce: 0. Have an AD Forest ready and create a forest trust from IDM: 1. ipa-server-install 2. ipa-adtrust-install --add-sids --add-agents -U 3. ipa trust-add --type=ad '<domain>' --admin '<AD admin>' --password --range-type=ipa-ad-trust 4. ipa-server-install --uninstall -U 5. Search for trust objects in AD LDAP: - ldapsearch -x -h dc1.adexample.com -D "administrator" -W -b "dc=adexample,dc=com" '(flatname=IDM)' flatname - ldapsearch -x -h dc1.adexample.com -D "administrator" -W -b "dc=adexample,dc=com" '(samaccountname=IDM*)' samaccountname userAccountControl Actual results: $ ldapsearch -x -h dc1.adexample.com -D "administrator" -W -b "dc=adexample,dc=com" '(flatname=IDM)' flatname # idm.adexample.com, System, adexample.com dn: CN=idm.adexample.com,CN=System,DC=adexample,DC=com flatName: IDM $ ldapsearch -x -h dc1.adexample.com -D "administrator" -W -b "dc=adexample,dc=com" '(samaccountname=IDM*)' samaccountname userAccountControl Enter LDAP Password: # IDM$, Users, adexample.com dn: CN=IDM$,CN=Users,DC=adexample,DC=com userAccountControl: 2080 sAMAccountName: IDM$ Expected results: None of the ldapsearches should find anything AD LDAP. ipa-server-install --uninstall when executed on the last IDM Trust Agent should remove its trust agreements(s) early.
Thank you taking your time and submitting this request for Red Hat Enterprise Linux 7. Unfortunately, this bug cannot be kept even as a stretch goal and was postponed to RHEL8.