841919 – User that was existing in IPA before winsync does not get deleted from AD

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 841919 - User that was existing in IPA before winsync does not get deleted from AD

Summary: User that was existing in IPA before winsync does not get deleted from AD

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-07-20 14:37 UTC by Steeve Goveas
Modified:	2012-07-24 20:09 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-07-24 20:09:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Steeve Goveas 2012-07-20 14:37:05 UTC

Description of problem: A user that existed in IPA and was exiting in AD or was added after winsync does not get deleted from AD when it is deleted from ipa


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-16.el6.x86_64

How reproducible: Always


Steps to Reproduce:
1. Add user in IPA before winsync with AD
2. Add the smae user in AD before winsync with minor different data. Like diferrent telephone mumber
3. Setup winsync
4. The AD user overrides the IPA user. Check that phone number is displayed as was set in AD
5. Delete that user from IPA with 
# ipa user-del user
6. The user gets deleted from IPA, but is not deleted from AD
7. The case is the same if an IPA existing user is added in AD after winsync.
  
Actual results:
User exists in AD even after deletion from IPA server

Expected results:
User must be deleted from AD server as well

Additional info:
[root@wheeljack slapd-TESTRELM-COM]# ipa user-add ADnew
First name: ADnew
Last name: user
------------------
Added user "adnew"
------------------
  User login: adnew
  First name: ADnew
  Last name: user
  Full name: ADnew user
  Display name: ADnew user
  Initials: Au
  Home directory: /home/adnew
  GECOS field: ADnew user
  Login shell: /bin/sh
  Kerberos principal: adnew
  UID: 75600042
  GID: 75600042
  Password: False
  Kerberos keys available: False

[root@wheeljack slapd-TESTRELM-COM]# ipa user-mod ADnew --phone=233223322
---------------------
Modified user "adnew"
---------------------
  User login: adnew
  First name: ADnew
  Last name: user
  Home directory: /home/adnew
  Login shell: /bin/sh
  UID: 75600042
  GID: 75600042
  Telephone Number: 233223322
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@wheeljack slapd-TESTRELM-COM]# ipa user-find
---------------
2 users matched
---------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 75600000
  GID: 75600000
  Account disabled: False
  Password: True
  Kerberos keys available: True

  User login: adnew
  First name: ADnew
  Last name: user
  Home directory: /home/adnew
  Login shell: /bin/sh
  UID: 75600042
  GID: 75600042
  Telephone Number: 233223322
  Account disabled: False
  Password: False
  Kerberos keys available: False
----------------------------
Number of entries returned 2
----------------------------

[root@wheeljack ipa-winsync]# ipa-replica-manage connect --winsync --passsync=password --cacert=ADcert.cer squab.adrelm.com --binddn "CN=Administrator,CN=Users,DC=adrelm,DC=com" --bindpw Secret123 -v -p Secret123
Added CA certificate ADcert.cer to certificate database for wheeljack.testrelm.com
ipa: INFO: AD Suffix is: DC=adrelm,DC=com
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=testrelm,dc=com
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 20120720112643Z: end: 20120720112643Z
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update in progress
Update succeeded
Connected 'wheeljack.testrelm.com' to 'squab.adrelm.com'

* User ADnew overrides IPA user attributes. Check Telephone Number

[root@wheeljack ipa-winsync]# ipa user-show ADnew
  User login: adnew
  First name: ADnew
  Last name: user
  Home directory: /home/adnew
  Login shell: /bin/sh
  UID: 75600042
  GID: 75600042
  Telephone Number: 345345345
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@wheeljack ipa-winsync]# ipa user-del ADnew
--------------------
Deleted user "adnew"
--------------------

[root@wheeljack ipa-winsync]# ipa user-show ADnew
ipa: ERROR: adnew: user not found

* User still exists in AD. It does not re-sync back to IPA. Behaviour is the same if an existing user in IPA is also added in AD post winsync

[root@wheeljack ipa-winsync]# ldapsearch -ZZ -x -h squab.adrelm.com -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -b "cn=ADnew user,cn=users,dc=adrelm,dc=com"
# extended LDIF
#
# LDAPv3
# base <cn=ADnew user,cn=users,dc=adrelm,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ADnew user, Users, adrelm.com
dn: CN=ADnew user,CN=Users,DC=adrelm,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: ADnew user
sn: user
telephoneNumber: 345345345
givenName: ADnew
initials: Au
distinguishedName: CN=ADnew user,CN=Users,DC=adrelm,DC=com
instanceType: 4
whenCreated: 20120720112145.0Z
whenChanged: 20120720114430.0Z
displayName: ADnew user
uSNCreated: 159965
uSNChanged: 159977
name: ADnew user
objectGUID:: iit425bnC0afYwYsTr6E3A==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129872582705468750
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAiFnzZEqY6qC0I54HEAUAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: ADnew
sAMAccountType: 805306368
userPrincipalName: ADnew
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=adrelm,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 129872574176250000

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Comment 2 Rob Crittenden 2012-07-24 14:14:43 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2943

Comment 3 Rob Crittenden 2012-07-24 20:09:41 UTC

This is working as designed. AD is considered is considered the authoritative source.  

This is documented at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory.html

Note You need to log in before you can comment on or make changes to this bug.