https://bugzilla.redhat.com/show_bug.cgi?id=841919 (Red Hat Enterprise Linux 6)
Description of problem: A user that existed in IPA and was exiting in AD or was added after winsync does not get deleted from AD when it is deleted from ipa Version-Release number of selected component (if applicable): ipa-server-2.2.0-16.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Add user in IPA before winsync with AD 2. Add the smae user in AD before winsync with minor different data. Like diferrent telephone mumber 3. Setup winsync 4. The AD user overrides the IPA user. Check that phone number is displayed as was set in AD 5. Delete that user from IPA with # ipa user-del user 6. The user gets deleted from IPA, but is not deleted from AD 7. The case is the same if an IPA existing user is added in AD after winsync. Actual results: User exists in AD even after deletion from IPA server Expected results: User must be deleted from AD server as well Additional info: [root@wheeljack slapd-TESTRELM-COM]# ipa user-add ADnew First name: ADnew Last name: user ------------------ Added user "adnew" ------------------ User login: adnew First name: ADnew Last name: user Full name: ADnew user Display name: ADnew user Initials: Au Home directory: /home/adnew GECOS field: ADnew user Login shell: /bin/sh Kerberos principal: adnew@TESTRELM.COM UID: 75600042 GID: 75600042 Password: False Kerberos keys available: False [root@wheeljack slapd-TESTRELM-COM]# ipa user-mod ADnew --phone=233223322 --------------------- Modified user "adnew" --------------------- User login: adnew First name: ADnew Last name: user Home directory: /home/adnew Login shell: /bin/sh UID: 75600042 GID: 75600042 Telephone Number: 233223322 Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False [root@wheeljack slapd-TESTRELM-COM]# ipa user-find --------------- 2 users matched --------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 75600000 GID: 75600000 Account disabled: False Password: True Kerberos keys available: True User login: adnew First name: ADnew Last name: user Home directory: /home/adnew Login shell: /bin/sh UID: 75600042 GID: 75600042 Telephone Number: 233223322 Account disabled: False Password: False Kerberos keys available: False ---------------------------- Number of entries returned 2 ---------------------------- [root@wheeljack ipa-winsync]# ipa-replica-manage connect --winsync --passsync=password --cacert=ADcert.cer squab.adrelm.com --binddn "CN=Administrator,CN=Users,DC=adrelm,DC=com" --bindpw Secret123 -v -p Secret123 Added CA certificate ADcert.cer to certificate database for wheeljack.testrelm.com ipa: INFO: AD Suffix is: DC=adrelm,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=testrelm,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 20120720112643Z: end: 20120720112643Z ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress Update succeeded Connected 'wheeljack.testrelm.com' to 'squab.adrelm.com' * User ADnew overrides IPA user attributes. Check Telephone Number [root@wheeljack ipa-winsync]# ipa user-show ADnew User login: adnew First name: ADnew Last name: user Home directory: /home/adnew Login shell: /bin/sh UID: 75600042 GID: 75600042 Telephone Number: 345345345 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@wheeljack ipa-winsync]# ipa user-del ADnew -------------------- Deleted user "adnew" -------------------- [root@wheeljack ipa-winsync]# ipa user-show ADnew ipa: ERROR: adnew: user not found * User still exists in AD. It does not re-sync back to IPA. Behaviour is the same if an existing user in IPA is also added in AD post winsync [root@wheeljack ipa-winsync]# ldapsearch -ZZ -x -h squab.adrelm.com -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123 -b "cn=ADnew user,cn=users,dc=adrelm,dc=com" # extended LDIF # # LDAPv3 # base <cn=ADnew user,cn=users,dc=adrelm,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # ADnew user, Users, adrelm.com dn: CN=ADnew user,CN=Users,DC=adrelm,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: ADnew user sn: user telephoneNumber: 345345345 givenName: ADnew initials: Au distinguishedName: CN=ADnew user,CN=Users,DC=adrelm,DC=com instanceType: 4 whenCreated: 20120720112145.0Z whenChanged: 20120720114430.0Z displayName: ADnew user uSNCreated: 159965 uSNChanged: 159977 name: ADnew user objectGUID:: iit425bnC0afYwYsTr6E3A== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 129872582705468750 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAiFnzZEqY6qC0I54HEAUAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: ADnew sAMAccountType: 805306368 userPrincipalName: ADnew@adrelm.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=adrelm,DC=com dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 129872574176250000 # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1
Working as designed.
Metadata Update from @rcritten: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.