Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/2436 Ticket #2238 changed ipa default user group `ipausers` to non-posix. This, however, conflicts with our winsync synchronization which now creates non-posix IPA users with no GID number. Such users are then also not shown in `ipa user-find` command. dirsrv error_log reports following errors: {{{ [root@vm-068 freeipa-stable]# tail -f /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/errors [23/Feb/2012:10:49:49 -0500] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=meTodhcp201-112.englab.pnq.redhat.com" (dhcp201-112:389)". Sent 8 entries. [23/Feb/2012:10:50:06 -0500] ipa_winsync_config_refresh_domain - [file ipa-winsync-config.c, line 923]: Error: could not find the entry containing the default gidNumber ds subtree [cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com] filter [(cn=ipaConfig)] attr [gidNumber] [23/Feb/2012:10:50:06 -0500] ipa_winsync_config_refresh_domain - [file ipa-winsync-config.c, line 923]: Error: could not find the entry containing the default gidNumber ds subtree [cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com] filter [(cn=ipaConfig)] attr [gidNumber] [23/Feb/2012:10:54:39 -0500] ipa_winsync_config_refresh_domain - [file ipa-winsync-config.c, line 923]: Error: could not find the entry containing the default gidNumber ds subtree [cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com] filter [(cn=ipaConfig)] attr [gidNumber] ... }}} If ipausers group is made a posix group again, users are created with a GID number. We may want to either make `ipa-replica-manage` to report this situation to user before an agreement is created so that he can make ipausers a posix group or fix ipa-winsync plugin to not require this GID since AD users have private groups by default. This ticket may be connected with #2324.
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/51601ac794ce589981c0cc3501d91518cea27f15 ipa-2-2: https://fedorahosted.org/freeipa/changeset/16918715dd4b964d5d861a3075b356918034e908
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed.
default behavior :: user synced, UPG created and user's GID number set to UPG GID which should be the same as their UID and user is not added ipausers group [root@primenova ~]# ipa user-find steeve --------------- 2 users matched --------------- User login: steeve First name: steeve Last name: ad Home directory: /home/steeve Login shell: /bin/sh UID: 1084800079 GID: 1084800079 Account disabled: False Password: True Kerberos keys available: True User login: steeve2 First name: steeve2 Last name: ads Home directory: /home/steeve2 Login shell: /bin/sh UID: 1084800166 GID: 1084800166 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 2 ---------------------------- [root@primenova ~]# [root@primenova ~]# ipa-managed-entries -e "UPG Definition" status Plugin Enabled [root@primenova ~]# [root@primenova ~]# ipa group-find ipausers --------------- 1 group matched --------------- Group name: ipausers Description: Default group for all users Member users: shanksipa ---------------------------- Number of entries returned 1 ---------------------------- [root@primenova ~]# Verified in version ipa-server-2.2.0-11.el6.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html