Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionGowrishankar Rajaiyan
2011-11-21 06:22:37 UTC
Description of problem:
During system integration test day for ipa, atolani found that uidNumber and gidNumber from Active Directory did not get synced during a winsync operation. Thanks to atolani for reporting this.
Version-Release number of selected component (if applicable):
ipa-server-2.1.3-9.el6.x86_64
How reproducible:
Always
Steps to Reproduce:
1. Create user in AD with a specific uidNumber. (1000099999 in this case)
[root@decepticons ~]# ldapsearch -LLL -x -h dhcp201-112.englab.pnq.redhat.com -D "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" -w Secret123 -b "CN=user4 4. user4,CN=Users,dc=englab,dc=pnq,dc=redhat,dc=com" uidNumber gidNumber unixHomeDirectory loginShell
dn: CN=user4 4. user4,CN=Users,DC=englab,DC=pnq,DC=redhat,DC=com
uidNumber: 1000099999
gidNumber: 1000099999
unixHomeDirectory: /home/userfour
loginShell: /bin/bash
2. Perform sync operation.
ipa-replica-manage connect --winsync --passsync=password --cacert=/root/wincertnew.cer dhcp201-112.englab.pnq.redhat.com --binddn "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw Secret123 -v -p Secret123
3. Verify on ipa server with "ipa user-show user4 --all --raw"
Actual results: uidNumber and gidNumber are not synced and are assigned from IPA servers range.
[root@decepticons ~]# ipa user-show user4 --all --raw
dn: uid=user4,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
uid: user4
givenname: user4
sn: user4
cn: user4 4. user4
initials: 4
homedirectory: /home/user4 <<<<<<<<<<<<<<<
gecos: user4 4. user4
loginshell: /bin/sh <<<<<<<<<<<<<<<
krbprincipalname: user4.PNQ.REDHAT.COM
uidnumber: 1814400123 <<<<<<<<<<<<<<<
gidnumber: 1814400123 <<<<<<<<<<<<<<<
nsaccountlock: False
has_keytab: False
has_password: False
ipauniqueid: cd8e36c0-1406-11e1-90cf-525400f56e2e
mepmanagedentry: cn=user4,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
ntuniqueid: f016a60c20bff0469fab24cd015f2a93
ntuseracctexpires: 9223372036854775807
ntusercodepage: MA==
ntuserdeleteaccount: true
ntuserdomainid: user4
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetOrgPerson
objectclass: ntUser
objectclass: inetuser
objectclass: posixaccount
objectclass: krbprincipalaux
objectclass: krbticketpolicyaux
objectclass: ipaobject
objectclass: mepOriginEntry
[root@decepticons ~]#
Expected results:
uidNumber and gidNumber are synced from Active Directory.
Additional info: See the same behavior with "login shell" and "home directory".
This feature was further investigated and we were not confident that it is indeed in a shape ready for production release in 7.0. Moving back to 7.1. I filed Bug 1024411 to clearly document IPA AD integration options, what are the use cases and options.