Ticket #2238 changed ipa default user group ipausers to non-posix. This, however, conflicts with our winsync synchronization which now creates non-posix IPA users with no GID number. Such users are then also not shown in ipa user-find command.
ipausers
ipa user-find
dirsrv error_log reports following errors:
[root@vm-068 freeipa-stable]# tail -f /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/errors [23/Feb/2012:10:49:49 -0500] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=meTodhcp201-112.englab.pnq.redhat.com" (dhcp201-112:389)". Sent 8 entries. [23/Feb/2012:10:50:06 -0500] ipa_winsync_config_refresh_domain - [file ipa-winsync-config.c, line 923]: Error: could not find the entry containing the default gidNumber ds subtree [cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com] filter [(cn=ipaConfig)] attr [gidNumber] [23/Feb/2012:10:50:06 -0500] ipa_winsync_config_refresh_domain - [file ipa-winsync-config.c, line 923]: Error: could not find the entry containing the default gidNumber ds subtree [cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com] filter [(cn=ipaConfig)] attr [gidNumber] [23/Feb/2012:10:54:39 -0500] ipa_winsync_config_refresh_domain - [file ipa-winsync-config.c, line 923]: Error: could not find the entry containing the default gidNumber ds subtree [cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com] filter [(cn=ipaConfig)] attr [gidNumber] ...
If ipausers group is made a posix group again, users are created with a GID number. We may want to either make ipa-replica-manage to report this situation to user before an agreement is created so that he can make ipausers a posix group or fix ipa-winsync plugin to not require this GID since AD users have private groups by default.
ipa-replica-manage
This ticket may be connected with #2324.
Wouldn't it be better to create UPGs for these users ?
They do get UPGs but the primary user group is still being set to ipausers. We missed updating this when we switched over.
We should probably treat this like we do when adding normal users. See if UPG is enabled and if so, just add them as a member of ipausers. Otherwise use ipauser's group gidnumber.
Replying to [comment:2 rcritten]:
That's now what I saw. UPG was created and GID was set to the UPG, not ipausers. Then it of course does not make much sense to search for ipausers GID.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=798352
How to test:
ipa-managed-entries -e "UPG Definition" status
ipa-managed-entries -e "UPG Definition" enable
ipa-managed-entries -e "UPG Definition" disable
attachment freeipa-mkosek-232-treat-upgs-correctly-in-winsync-replication.patch
Patch freeipa-mkosek-232-treat-upgs-correctly-in-winsync-replication.patch sent for review
master: 51601ac[[BR]] ipa-2-2: 1691871
Rename component.
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03
Login to comment on this ticket.