Bug 809560 - Do not create private groups for migrated users
Summary: Do not create private groups for migrated users
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-03 16:23 UTC by Dmitri Pal
Modified: 2015-01-05 11:05 UTC (History)
2 users (show)

Fixed In Version: ipa-2.2.0-8.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2012-06-20 13:26:31 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Description Dmitri Pal 2012-04-03 16:23:41 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2604

User private groups should not be created for migrated posix users, their GID points to another group:

{{{
# echo "secret123" | ipa migrate-ds ldap://vm-054.idm.lab.bos.redhat.com --with-compat --base-dn="dc=greyoak,dc=com"
-----------
migrate-ds:
-----------
Migrated:
  user: darcee_leeson, ayaz_kreiger, mollee_weisenberg
  group: ipagroup
Failed user:
Failed group:
----------
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.

# ipa user-show darcee_leeson
  User login: darcee_leeson
  First name: Darcee
  Last name: Leeson
  Home directory: /home/Darcee_Leeson
  Email address: Darcee_Leeson
  UID: 11731
  GID: 21731         <<<<<<<<<
  Telephone Number: +1 804 913-8558
  Org. Unit: Product Testing
  Job Title: Supreme Product Testing Visionary
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: False
# ipa group-show darcee_leeson
  Group name: darcee_leeson
  Description: User private group for darcee_leeson
  GID: 11731        <<<<<<<<<
}}}
Comment 1 Rob Crittenden 2012-04-04 15:35:28 UTC 
fixed upstream.

master: b55c98f1c5b0d46aba3f1792ebd8ecc059173b6a

ipa-2-2: b98342ae6e60920c88e0979a84705874d59a0f3d
Comment 4 Jenny Severance 2012-04-23 15:24:51 UTC 
verified ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz809560 Do not create private groups for migrated users
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Verify user 'puser1' does not have a private group
:: [   PASS   ] :: Verify user 'puser2' does not have a private group
:: [   PASS   ] :: Verify user 'philomena_hazen' does not have a private group
:: [   LOG    ] :: Duration: 7s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: bz809560 Do not create private groups for migrated users


version :: ipa-server-2.2.0-10.el6.x86_64
Comment 6 Martin Kosek 2012-04-25 11:24:28 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 8 errata-xmlrpc 2012-06-20 13:26:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html
Note You need to log in before you can comment on or make changes to this bug.