freeipa

Clone
Source Code
GIT

#2436 winsync now does not fill gidnumber
Closed: Fixed None Opened 12 years ago by mkosek.

Closed: Fixed
Reopen Issue

Ticket #2238 changed ipa default user group ipausers to non-posix. This, however, conflicts with our winsync synchronization which now creates non-posix IPA users with no GID number. Such users are then also not shown in ipa user-find command.

dirsrv error_log reports following errors:

[root@vm-068 freeipa-stable]# tail -f /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/errors
[23/Feb/2012:10:49:49 -0500] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=meTodhcp201-112.englab.pnq.redhat.com" (dhcp201-112:389)". Sent 8 entries.
[23/Feb/2012:10:50:06 -0500] ipa_winsync_config_refresh_domain - [file ipa-winsync-config.c, line 923]: Error: could not find the entry containing the default gidNumber ds subtree [cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com] filter [(cn=ipaConfig)] attr [gidNumber]
[23/Feb/2012:10:50:06 -0500] ipa_winsync_config_refresh_domain - [file ipa-winsync-config.c, line 923]: Error: could not find the entry containing the default gidNumber ds subtree [cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com] filter [(cn=ipaConfig)] attr [gidNumber]
[23/Feb/2012:10:54:39 -0500] ipa_winsync_config_refresh_domain - [file ipa-winsync-config.c, line 923]: Error: could not find the entry containing the default gidNumber ds subtree [cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com] filter [(cn=ipaConfig)] attr [gidNumber]
...

If ipausers group is made a posix group again, users are created with a GID number. We may want to either make ipa-replica-manage to report this situation to user before an agreement is created so that he can make ipausers a posix group or fix ipa-winsync plugin to not require this GID since AD users have private groups by default.

This ticket may be connected with #2324.

Wouldn't it be better to create UPGs for these users ?

They do get UPGs but the primary user group is still being set to ipausers. We missed updating this when we switched over.

We should probably treat this like we do when adding normal users. See if UPG is enabled and if so, just add them as a member of ipausers. Otherwise use ipauser's group gidnumber.

Replying to [comment:2 rcritten]:

They do get UPGs but the primary user group is still being set to ipausers. We missed updating this when we switched over.

That's now what I saw. UPG was created and GID was set to the UPG, not ipausers. Then it of course does not make much sense to search for ipausers GID.

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=798352

How to test:

  1. Create winsync agreement with AD
  2. Create a user in the AD
  3. Check the synced user in IPA directory, and check specifically for its gidNumber. There are 4 situations can occur regarding to
    • the state of default user group (ipausers) - it can be posix (with gidNumber) or non-posix (without non-posix). Non-posix ipausers is a default state after clean FreeIPA installation
    • User Private Group status (ipa-managed-entries -e "UPG Definition" status). That can be changed to enabled (ipa-managed-entries -e "UPG Definition" enable) or disabled (ipa-managed-entries -e "UPG Definition" disable)
  4. The new AD user gidNumber should be set according to this table:
    a. Default group posix, UPG enabled: gidNumber = UPG gidNumber
    b. Default group posix, UPG disabled: gidNumber = ipausers gidNumber
    c. Default group non-posix, UPG enabled: gidNumber = UPG gidNumber
    d. Default group non-posix, UPG disabled: an error is printed to the dirsrv log as the gidNumber cannot be retrieved. User is replicated in the same way as before this patch, i.e. without gidNumber and essential object classes like posixuser

Patch freeipa-mkosek-232-treat-upgs-correctly-in-winsync-replication.patch sent for review

master: 51601ac[[BR]]
ipa-2-2: 1691871

Rename component.

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
Winsync
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=798352
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.