Bug 841919 - User that was existing in IPA before winsync does not get deleted from AD
User that was existing in IPA before winsync does not get deleted from AD
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
IDM QE LIST
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-20 10:37 EDT by Steeve Goveas
Modified: 2012-07-24 16:09 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-24 16:09:41 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steeve Goveas 2012-07-20 10:37:05 EDT
Description of problem: A user that existed in IPA and was exiting in AD or was added after winsync does not get deleted from AD when it is deleted from ipa


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-16.el6.x86_64

How reproducible: Always


Steps to Reproduce:
1. Add user in IPA before winsync with AD
2. Add the smae user in AD before winsync with minor different data. Like diferrent telephone mumber
3. Setup winsync
4. The AD user overrides the IPA user. Check that phone number is displayed as was set in AD
5. Delete that user from IPA with 
# ipa user-del user
6. The user gets deleted from IPA, but is not deleted from AD
7. The case is the same if an IPA existing user is added in AD after winsync.
  
Actual results:
User exists in AD even after deletion from IPA server

Expected results:
User must be deleted from AD server as well

Additional info:
[root@wheeljack slapd-TESTRELM-COM]# ipa user-add ADnew
First name: ADnew
Last name: user
------------------
Added user "adnew"
------------------
  User login: adnew
  First name: ADnew
  Last name: user
  Full name: ADnew user
  Display name: ADnew user
  Initials: Au
  Home directory: /home/adnew
  GECOS field: ADnew user
  Login shell: /bin/sh
  Kerberos principal: adnew@TESTRELM.COM
  UID: 75600042
  GID: 75600042
  Password: False
  Kerberos keys available: False

[root@wheeljack slapd-TESTRELM-COM]# ipa user-mod ADnew --phone=233223322
---------------------
Modified user "adnew"
---------------------
  User login: adnew
  First name: ADnew
  Last name: user
  Home directory: /home/adnew
  Login shell: /bin/sh
  UID: 75600042
  GID: 75600042
  Telephone Number: 233223322
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@wheeljack slapd-TESTRELM-COM]# ipa user-find
---------------
2 users matched
---------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 75600000
  GID: 75600000
  Account disabled: False
  Password: True
  Kerberos keys available: True

  User login: adnew
  First name: ADnew
  Last name: user
  Home directory: /home/adnew
  Login shell: /bin/sh
  UID: 75600042
  GID: 75600042
  Telephone Number: 233223322
  Account disabled: False
  Password: False
  Kerberos keys available: False
----------------------------
Number of entries returned 2
----------------------------

[root@wheeljack ipa-winsync]# ipa-replica-manage connect --winsync --passsync=password --cacert=ADcert.cer squab.adrelm.com --binddn "CN=Administrator,CN=Users,DC=adrelm,DC=com" --bindpw Secret123 -v -p Secret123
Added CA certificate ADcert.cer to certificate database for wheeljack.testrelm.com
ipa: INFO: AD Suffix is: DC=adrelm,DC=com
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=testrelm,dc=com
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 20120720112643Z: end: 20120720112643Z
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update in progress
Update succeeded
Connected 'wheeljack.testrelm.com' to 'squab.adrelm.com'

* User ADnew overrides IPA user attributes. Check Telephone Number

[root@wheeljack ipa-winsync]# ipa user-show ADnew
  User login: adnew
  First name: ADnew
  Last name: user
  Home directory: /home/adnew
  Login shell: /bin/sh
  UID: 75600042
  GID: 75600042
  Telephone Number: 345345345
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@wheeljack ipa-winsync]# ipa user-del ADnew
--------------------
Deleted user "adnew"
--------------------

[root@wheeljack ipa-winsync]# ipa user-show ADnew
ipa: ERROR: adnew: user not found

* User still exists in AD. It does not re-sync back to IPA. Behaviour is the same if an existing user in IPA is also added in AD post winsync

[root@wheeljack ipa-winsync]# ldapsearch -ZZ -x -h squab.adrelm.com -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -b "cn=ADnew user,cn=users,dc=adrelm,dc=com"
# extended LDIF
#
# LDAPv3
# base <cn=ADnew user,cn=users,dc=adrelm,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ADnew user, Users, adrelm.com
dn: CN=ADnew user,CN=Users,DC=adrelm,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: ADnew user
sn: user
telephoneNumber: 345345345
givenName: ADnew
initials: Au
distinguishedName: CN=ADnew user,CN=Users,DC=adrelm,DC=com
instanceType: 4
whenCreated: 20120720112145.0Z
whenChanged: 20120720114430.0Z
displayName: ADnew user
uSNCreated: 159965
uSNChanged: 159977
name: ADnew user
objectGUID:: iit425bnC0afYwYsTr6E3A==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129872582705468750
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAiFnzZEqY6qC0I54HEAUAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: ADnew
sAMAccountType: 805306368
userPrincipalName: ADnew@adrelm.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=adrelm,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 129872574176250000

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1
Comment 2 Rob Crittenden 2012-07-24 10:14:43 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2943
Comment 3 Rob Crittenden 2012-07-24 16:09:41 EDT
This is working as designed. AD is considered is considered the authoritative source.  

This is documented at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory.html

Note You need to log in before you can comment on or make changes to this bug.