Hide Forgot
Description of problem: During system integration test day for ipa, atolani found that uidNumber and gidNumber from Active Directory did not get synced during a winsync operation. Thanks to atolani for reporting this. Version-Release number of selected component (if applicable): ipa-server-2.1.3-9.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Create user in AD with a specific uidNumber. (1000099999 in this case) [root@decepticons ~]# ldapsearch -LLL -x -h dhcp201-112.englab.pnq.redhat.com -D "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" -w Secret123 -b "CN=user4 4. user4,CN=Users,dc=englab,dc=pnq,dc=redhat,dc=com" uidNumber gidNumber unixHomeDirectory loginShell dn: CN=user4 4. user4,CN=Users,DC=englab,DC=pnq,DC=redhat,DC=com uidNumber: 1000099999 gidNumber: 1000099999 unixHomeDirectory: /home/userfour loginShell: /bin/bash 2. Perform sync operation. ipa-replica-manage connect --winsync --passsync=password --cacert=/root/wincertnew.cer dhcp201-112.englab.pnq.redhat.com --binddn "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw Secret123 -v -p Secret123 3. Verify on ipa server with "ipa user-show user4 --all --raw" Actual results: uidNumber and gidNumber are not synced and are assigned from IPA servers range. [root@decepticons ~]# ipa user-show user4 --all --raw dn: uid=user4,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com uid: user4 givenname: user4 sn: user4 cn: user4 4. user4 initials: 4 homedirectory: /home/user4 <<<<<<<<<<<<<<< gecos: user4 4. user4 loginshell: /bin/sh <<<<<<<<<<<<<<< krbprincipalname: user4.PNQ.REDHAT.COM uidnumber: 1814400123 <<<<<<<<<<<<<<< gidnumber: 1814400123 <<<<<<<<<<<<<<< nsaccountlock: False has_keytab: False has_password: False ipauniqueid: cd8e36c0-1406-11e1-90cf-525400f56e2e mepmanagedentry: cn=user4,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com ntuniqueid: f016a60c20bff0469fab24cd015f2a93 ntuseracctexpires: 9223372036854775807 ntusercodepage: MA== ntuserdeleteaccount: true ntuserdomainid: user4 objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetOrgPerson objectclass: ntUser objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: mepOriginEntry [root@decepticons ~]# Expected results: uidNumber and gidNumber are synced from Active Directory. Additional info: See the same behavior with "login shell" and "home directory".
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2133
Corresponding DS enhancement request https://bugzilla.redhat.com/show_bug.cgi?id=765986
Upstream ticket https://fedorahosted.org/freeipa/ticket/2133 was closed as a duplicate to https://fedorahosted.org/freeipa/ticket/3007. Apparently, this RFE was already fixed upstream and thus will be part of 7.0 rebase.
This feature was further investigated and we were not confident that it is indeed in a shape ready for production release in 7.0. Moving back to 7.1. I filed Bug 1024411 to clearly document IPA AD integration options, what are the use cases and options.
This issue is clearly documented, as stated in https://bugzilla.redhat.com/show_bug.cgi?id=1024411#c1 IdM has other means to handle POSIX data from AD, like Trusts with POSIX type (http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD) or ID Views (Bug 891984)! Closing this bug as WONTFIX then. Please reopen if there is a disagreement or confusion with other proposed IdM options.