#2943 User that was existing in IPA before winsync does not get deleted from AD
Closed: Invalid None Opened 11 years ago by rcritten.

https://bugzilla.redhat.com/show_bug.cgi?id=841919 (Red Hat Enterprise Linux 6)

Description of problem: A user that existed in IPA and was exiting in AD or was
added after winsync does not get deleted from AD when it is deleted from ipa


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-16.el6.x86_64

How reproducible: Always


Steps to Reproduce:
1. Add user in IPA before winsync with AD
2. Add the smae user in AD before winsync with minor different data. Like
diferrent telephone mumber
3. Setup winsync
4. The AD user overrides the IPA user. Check that phone number is displayed as
was set in AD
5. Delete that user from IPA with
# ipa user-del user
6. The user gets deleted from IPA, but is not deleted from AD
7. The case is the same if an IPA existing user is added in AD after winsync.

Actual results:
User exists in AD even after deletion from IPA server

Expected results:
User must be deleted from AD server as well

Additional info:
[root@wheeljack slapd-TESTRELM-COM]# ipa user-add ADnew
First name: ADnew
Last name: user
------------------
Added user "adnew"
------------------
  User login: adnew
  First name: ADnew
  Last name: user
  Full name: ADnew user
  Display name: ADnew user
  Initials: Au
  Home directory: /home/adnew
  GECOS field: ADnew user
  Login shell: /bin/sh
  Kerberos principal: adnew@TESTRELM.COM
  UID: 75600042
  GID: 75600042
  Password: False
  Kerberos keys available: False

[root@wheeljack slapd-TESTRELM-COM]# ipa user-mod ADnew --phone=233223322
---------------------
Modified user "adnew"
---------------------
  User login: adnew
  First name: ADnew
  Last name: user
  Home directory: /home/adnew
  Login shell: /bin/sh
  UID: 75600042
  GID: 75600042
  Telephone Number: 233223322
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@wheeljack slapd-TESTRELM-COM]# ipa user-find
---------------
2 users matched
---------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 75600000
  GID: 75600000
  Account disabled: False
  Password: True
  Kerberos keys available: True

  User login: adnew
  First name: ADnew
  Last name: user
  Home directory: /home/adnew
  Login shell: /bin/sh
  UID: 75600042
  GID: 75600042
  Telephone Number: 233223322
  Account disabled: False
  Password: False
  Kerberos keys available: False
----------------------------
Number of entries returned 2
----------------------------

[root@wheeljack ipa-winsync]# ipa-replica-manage connect --winsync
--passsync=password --cacert=ADcert.cer squab.adrelm.com --binddn
"CN=Administrator,CN=Users,DC=adrelm,DC=com" --bindpw Secret123 -v -p Secret123
Added CA certificate ADcert.cer to certificate database for
wheeljack.testrelm.com
ipa: INFO: AD Suffix is: DC=adrelm,DC=com
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=testrelm,dc=com
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired
successfully: Incremental update started: start: 20120720112643Z: end:
20120720112643Z
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update in progress
Update succeeded
Connected 'wheeljack.testrelm.com' to 'squab.adrelm.com'

* User ADnew overrides IPA user attributes. Check Telephone Number

[root@wheeljack ipa-winsync]# ipa user-show ADnew
  User login: adnew
  First name: ADnew
  Last name: user
  Home directory: /home/adnew
  Login shell: /bin/sh
  UID: 75600042
  GID: 75600042
  Telephone Number: 345345345
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@wheeljack ipa-winsync]# ipa user-del ADnew
--------------------
Deleted user "adnew"
--------------------

[root@wheeljack ipa-winsync]# ipa user-show ADnew
ipa: ERROR: adnew: user not found

* User still exists in AD. It does not re-sync back to IPA. Behaviour is the
same if an existing user in IPA is also added in AD post winsync

[root@wheeljack ipa-winsync]# ldapsearch -ZZ -x -h squab.adrelm.com -D
"cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -b "cn=ADnew
user,cn=users,dc=adrelm,dc=com"
# extended LDIF
#
# LDAPv3
# base <cn=ADnew user,cn=users,dc=adrelm,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ADnew user, Users, adrelm.com
dn: CN=ADnew user,CN=Users,DC=adrelm,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: ADnew user
sn: user
telephoneNumber: 345345345
givenName: ADnew
initials: Au
distinguishedName: CN=ADnew user,CN=Users,DC=adrelm,DC=com
instanceType: 4
whenCreated: 20120720112145.0Z
whenChanged: 20120720114430.0Z
displayName: ADnew user
uSNCreated: 159965
uSNChanged: 159977
name: ADnew user
objectGUID:: iit425bnC0afYwYsTr6E3A==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129872582705468750
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAiFnzZEqY6qC0I54HEAUAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: ADnew
sAMAccountType: 805306368
userPrincipalName: ADnew@adrelm.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=adrelm,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 129872574176250000

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Metadata Update from @rcritten:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

Login to comment on this ticket.

Metadata