Red Hat Bugzilla – Bug 924937
Attribute "dsOnlyMemberUid" not allowed when syncing nested posix groups from AD with posixWinsync
Last modified: 2015-03-05 04:30:26 EST
Description of problem: PosixWinsync plugin keeps posix attributes in sync between DS and AD. One of configuration options for this plugin is posixWinsyncMapMemberUID, which attempts to populate the memberUid attribute in 389 if it is missing from AD, based on the member attribute. Default for this attribute is TRUE. However, if this attribute is enabled, plugin fails to correctly synchronize nested posix group. Version-Release number of selected component (if applicable): 389-ds-base-1.2.11.15-11 on RHEL 6.4 How reproducible: always Steps to Reproduce: 1. Set posixWinsyncMapMemberUid to TRUE for Posix Winsync API plugin. 2. Add a posix group(group1) on AD. 3. Add another posix group(groups2) with member as group1. Basically, you are testing nested groups. 4. When the group is synced(trying to sync) to DS, it throws this error message - Entry "cn=adg_posix_t13_00,ou=dswinsync,dc=passsync,dc=com" -- attribute "dsOnlyMemberUid" not allowed ==> /var/log/dirsrv/slapd-M1/errors <== [22/Mar/2013:14:12:35 -0400] - Entry "cn=adg_posix_t13_00,ou=dswinsync,dc=passsync,dc=com" -- attribute "dsOnlyMemberUid" not allowed [22/Mar/2013:14:12:36 -0400] - Entry "cn=adg_posix_t13_01,ou=dswinsync,dc=passsync,dc=com" -- attribute "dsOnlyMemberUid" not allowed [22/Mar/2013:14:12:36 -0400] - Entry "cn=adg_posix_t13_02,ou=dswinsync,dc=passsync,dc=com" -- attribute "dsOnlyMemberUid" not allowed The corresponding AD entry looks like this... [root@intel-piketon-01 MMR_WINSYNC]# /usr/lib64/mozldap/ldapsearch -Z -P /etc/dirsrv/slapd-M1/cert8.db -h win2k8rhvd64.win2k8sync64.com -p 636 -D "cn=SyncManager,cn=Users,dc=win2k8sync64,dc=com" -w Secret123 -b cn=adg_posix_t13_01,ou=adpasssync,dc=win2k8sync64,dc=com objectClass=* version: 1 dn: CN=adg_posix_t13_01,OU=adpasssync,DC=win2k8sync64,DC=com objectClass: top objectClass: posixGroup objectClass: group cn: adg_posix_t13_01 member: CN=adg_posix_t13,OU=adpasssync,DC=win2k8sync64,DC=com distinguishedName: CN=adg_posix_t13_01,OU=adpasssync,DC=win2k8sync64,DC=com instanceType: 4 whenCreated: 20130322181406.0Z whenChanged: 20130322181406.0Z uSNCreated: 426380 uSNChanged: 426383 name: adg_posix_t13_01 objectGUID:: ar229MRn8E+UaCdTwlVPHA== objectSid:: AQUAAAAAAAUVAAAAwfmfzEa6cJsGbjjEcFAAAA== sAMAccountName: adg_posix_t13_01 sAMAccountType: 268435457 groupType: 2 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=win2k8sync64,DC=com dSCorePropagationData: 16010101000000.0Z gidNumber: 3933 Additional info: This issue was originally reported by Milan Kubik and discovered as part of posix Winsync automation. It is automated and corresponds to /scripts/MMR_WINSYNC/posix_sync_manual.sh testcase bug847868_13.
Upstream ticket: https://fedorahosted.org/389/ticket/47310
$ rpm -qa | grep 389 389-ds-base-debuginfo-1.3.3.1-11.el7.x86_64 389-ds-base-libs-1.3.3.1-11.el7.x86_64 389-ds-base-1.3.3.1-11.el7.x86_64 Using test case bug847868_13 I added posix groups on AD: dn: CN=adg_posix_t13_00,OU=adsync,DC=adrelm,DC=com objectClass: top objectClass: posixGroup objectClass: group cn: adg_posix_t13_00 member: CN=adg_posix_t13,OU=adsync,DC=adrelm,DC=com distinguishedName: CN=adg_posix_t13_00,OU=adsync,DC=adrelm,DC=com instanceType: 4 whenCreated: 20150119021429.0Z whenChanged: 20150119021429.0Z uSNCreated: 32944 uSNChanged: 32947 name: adg_posix_t13_00 objectGUID:: I0ToPFoDcEi46e5tB9O2tA== objectSid:: AQUAAAAAAAUVAAAAiiwF82aDDckPUPdEmwQAAA== sAMAccountName: adg_posix_t13_00 sAMAccountType: 268435457 groupType: 2 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=adrelm,DC=com dSCorePropagationData: 16010101000000.0Z gidNumber: 3933 Corresponding entry in DS after sync: dn: cn=adg_posix_t13_00,ou=People,dc=example,dc=com objectclass: top objectclass: groupofuniquenames objectclass: ntGroup objectclass: posixGroup objectclass: dynamicGroup ntGroupDeleteGroup: true cn: adg_posix_t13_00 uniqueMember: cn=adg_posix_t13,ou=People,dc=example,dc=com ntUserDomainId: adg_posix_t13_00 ntGroupType: 2 ntUniqueId: 2344e83c5a037048b8e9ee6d07d3b6b4 gidNumber: 3933 dsOnlyMemberUid: adu_posix_t13 memberUid: adu_posix_t13 objectClass dynamicGroup was added to allow dsOnlyMemberUid attribute, no errors in the error log. Marking as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html