Bug 740081 - Allow sync of "pseudo-user" accounts
Allow sync of "pseudo-user" accounts
Status: CLOSED DEFERRED
Product: 389
Classification: Community
Component: Sync Service (Show other bugs)
1.2.9
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Rich Megginson
Ben Levenson
:
Depends On:
Blocks: 389_1.3.0 690319
  Show dependency treegraph
 
Reported: 2011-09-20 16:58 EDT by Rich Megginson
Modified: 2015-11-19 14:27 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 14:27:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Rich Megginson 2011-09-20 16:58:21 EDT
Description of problem:
There are "pseudo-user" accounts in AD that have mostly "user" objectclass schema but are missing required attributes in DS, such as the "sn" attribute.  There may be some cases where we want to allow the user to sync these entries:

"I think it might be clearer if we synchronized all accounts that do not use built-in SIDs (reserved) and are in the correct cn / ou since there is no such things as a 'psuedo user' in AD.  There may be cases where it is desirable for application users to sync, for example a user used for monitoring could log in from an application server to Linux / Windows with the same account.  This user might not have all the attributes that a real person would have."

We could fill in the missing values in several ways:
1) hard coded value ("Missing Surname")
2) set value to use in winsync agreement entry
winsyncMissing: sn Missing Surname
or
winsyncMissing: sn $displayName
or
winsyncMissing: sn (objectclass=ipaWinsyncConfig) sn
the last is similar to what the ipa-winsync plugin does for missing posix attributes.

The list of well-known SIDs/RIDs is found here - http://git.samba.org/?p=samba.git;a=blob;f=librpc/idl/security.idl;h=2b6efc5318480606f19f6fe25976fe9514114fbc;hb=master
Comment 1 Simo Sorce 2011-09-20 17:05:43 EDT
Any RID below 1000 belongs to wellknown SIDs

But I am not sure you can use that to weed out users/groups.

Here you can find a list of SIDs/RIDS that are wellknown:
http://git.samba.org/?p=samba.git;a=blob;f=librpc/idl/security.idl;h=2b6efc5318480606f19f6fe25976fe9514114fbc;hb=master

start at line 200ish
Comment 2 Rich Megginson 2011-10-17 17:14:08 EDT
Simo, is this a 6.3 feature?  If not, then when?
Comment 3 Simo Sorce 2011-10-17 17:41:47 EDT
I don't know, we do not use winsync for our ad trust plans which are the driver for 3.0
Comment 4 Rich Megginson 2011-10-17 17:47:05 EDT
(In reply to comment #3)
> I don't know, we do not use winsync for our ad trust plans which are the driver
> for 3.0

So can we mark this as CLOSED WONTFIX?
Comment 5 Rich Megginson 2011-10-19 15:41:01 EDT
Would still be a good enhancement until we can completely scrap winsync.
Comment 8 Martin Kosek 2012-01-04 08:21:27 EST
Upstream ticket:
https://fedorahosted.org/389/ticket/30
Comment 10 Noriko Hosoi 2015-11-19 14:27:54 EST
Closing this bug since we moved to the ticket system:
https://fedorahosted.org/389/ticket/30

Note You need to log in before you can comment on or make changes to this bug.