Red Hat Bugzilla – Bug 481223
Removing Group Member in ADS and Send and Recieve Updates Crashes the Directory Server
Last modified: 2015-01-04 18:36:11 EST
Description of problem:
After successful syncronization of users/groups and memberships, subsequently changing the the group name and removing a member in ADS and initiating an update results in Segmentation fault and crashes the Directory Server.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a window sync agreement that synchronizes both users and groups.
2. Add users and groups to ADS. Add members to the groups.
3. Verify they are sychronized to DS
4. From ADS Users and Computers MMC, right click on one of the groups and select properties.
5. Change the value in the Group Name field.
6. Click on the members tab
7. Remove one of the member.
8. From the DS console, configuration tab, select the sync agreement.
9. Right click and select Send and Recieve Updates Now.
Segmentation Fault and server crashes
More configuration information:
RHEL5 - 32BIT
Sync Agreement configured with TLS/SSL over LDAPS.
Crash is occurring when just a member has been removed from ADS and then a DS update is initiated.
If a group member is removed from the DS console and an update initiated, it is never updated in ADS.
This is only occurring if the group is defined in ADS as a Distribution Group. If the group is a security group, membership changes are updated correctly.
Found this information:
* Security: Security groups allow you to manage user and computer access to shared resources. You can also control who receives group policy settings. This simplifies administration by allowing you to set permissions once on multiple computers, then to change the membership of the group as your needs change. The change in group membership automatically takes effect everywhere. You can also use these groups as email distribution lists.
* Distribution: Distribution groups are intended to be used solely as email distribution lists. These lists are for use with email applications such as Microsoft Exchange or Outlook. You can add and remove contacts from the list so that they will or will not receive email sent to the distribution group. You can't use distribution groups to assign permissions on any objects, and you can't use them to filter group policy settings.
This is also occuring trying to sync nested groups:
Parent Group - Security Group - Domain Local
Child Group - Security Group - Global
Created attachment 329993 [details]
Created attachment 330006 [details]
cvs commit log
Reviewed by: nkinder (Thanks!)
Fix Description: I broke this with my earlier fix about sending mods to AD. There are calls which reset the raw entry from AD before the call to mod_already_made. The fix is to only retrieve the raw entry just before we use it, after it may have been reset. I also found a memory leak in the mod init with valueset function I added for the prior fix.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
fix verified RHEL 5 - DS 8.1 - group memberships synchronized passsync v 1.1.0
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.