Description of problem: After successful syncronization of users/groups and memberships, subsequently changing the the group name and removing a member in ADS and initiating an update results in Segmentation fault and crashes the Directory Server. Version-Release number of selected component (if applicable): 8.1 How reproducible: Always Steps to Reproduce: 1. Create a window sync agreement that synchronizes both users and groups. 2. Add users and groups to ADS. Add members to the groups. 3. Verify they are sychronized to DS 4. From ADS Users and Computers MMC, right click on one of the groups and select properties. 5. Change the value in the Group Name field. 6. Click on the members tab 7. Remove one of the member. 8. From the DS console, configuration tab, select the sync agreement. 9. Right click and select Send and Recieve Updates Now. Actual results: Segmentation Fault and server crashes Expected results: Successful update. Additional info: More configuration information: RHEL5 - 32BIT Sync Agreement configured with TLS/SSL over LDAPS.
Additional Information: Crash is occurring when just a member has been removed from ADS and then a DS update is initiated. If a group member is removed from the DS console and an update initiated, it is never updated in ADS.
Another revelation: This is only occurring if the group is defined in ADS as a Distribution Group. If the group is a security group, membership changes are updated correctly.
Found this information: * Security: Security groups allow you to manage user and computer access to shared resources. You can also control who receives group policy settings. This simplifies administration by allowing you to set permissions once on multiple computers, then to change the membership of the group as your needs change. The change in group membership automatically takes effect everywhere. You can also use these groups as email distribution lists. * Distribution: Distribution groups are intended to be used solely as email distribution lists. These lists are for use with email applications such as Microsoft Exchange or Outlook. You can add and remove contacts from the list so that they will or will not receive email sent to the distribution group. You can't use distribution groups to assign permissions on any objects, and you can't use them to filter group policy settings.
This is also occuring trying to sync nested groups: Parent Group - Security Group - Domain Local Child Group - Security Group - Global
Created attachment 329993 [details] diffs
Created attachment 330006 [details] cvs commit log Reviewed by: nkinder (Thanks!) Fix Description: I broke this with my earlier fix about sending mods to AD. There are calls which reset the raw entry from AD before the call to mod_already_made. The fix is to only retrieve the raw entry just before we use it, after it may have been reset. I also found a memory leak in the mod init with valueset function I added for the prior fix. Platforms tested: RHEL5 Flag Day: no Doc impact: no
fix verified RHEL 5 - DS 8.1 - group memberships synchronized passsync v 1.1.0
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html