Issue #4837: Password does not sync - freeipa

freeipa

#4837 Password does not sync

Closed: Fixed None Opened 9 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1181093

Description of problem:
Password of AD user is not syncing to IPA

Version-Release number of selected component (if applicable):
[root@sideswipe ~]# rpm -q ipa-server 389-ds-base
ipa-server-4.1.0-13.el7.x86_64
389-ds-base-1.3.3.1-11.el7.x86_64


How reproducible:


Steps to Reproduce:
1. Install IPA
2. Create winsync agreement
3. Add new user on AD and set password
4. Reset password of existing user
5. Passwords in above cases should sync on IPA server

Actual results:
[root@sideswipe ~]# hostname
sideswipe.ipasync.test

[root@sideswipe ~]# ipa user-show aduser1
  User login: aduser1
  First name: ads
  Last name: user
  Home directory: /home/aduser1
  Login shell: /bin/sh
  Email address: aduser1@testrelm.test
  UID: 184400014
  GID: 184400014
  Telephone Number: 66778839
  Account disabled: False
  Password: False
  Kerberos keys available: False

Logs on resetting password on AD

01/12/15 16:38:50: Received passhook event.  Attempting sync
01/12/15 16:38:50: 1 new entries loaded from data file
01/12/15 16:38:50: Cleared contents of data file
01/12/15 16:38:50: Password list has 2 entries
01/12/15 16:38:51: Attempting to sync password for frank
01/12/15 16:38:51: Searching for (ntuserdomainid=frank)
01/12/15 16:38:51: There are no entries that match: frank
01/12/15 16:38:51: Deferring password change for frank
01/12/15 16:38:51: Attempting to sync password for aduser1
01/12/15 16:38:51: Searching for (ntuserdomainid=aduser1)
01/12/15 16:38:51: There are no entries that match: aduser1
01/12/15 16:38:51: Deferring password change for aduser1
01/12/15 16:38:51: Backing off for 2000ms
01/12/15 16:38:53: Backoff time expired.  Attempting sync
01/12/15 16:38:53: Password list has 2 entries
01/12/15 16:38:53: Attempting to sync password for frank
01/12/15 16:38:53: Searching for (ntuserdomainid=frank)
01/12/15 16:38:53: There are no entries that match: frank
01/12/15 16:38:53: Deferring password change for frank
01/12/15 16:38:53: Attempting to sync password for aduser1
01/12/15 16:38:53: Searching for (ntuserdomainid=aduser1)
01/12/15 16:38:53: There are no entries that match: aduser1
01/12/15 16:38:53: Deferring password change for aduser1
01/12/15 16:38:53: Backing off for 4000ms
01/12/15 16:38:57: Backoff time expired.  Attempting sync
01/12/15 16:38:57: Password list has 2 entries
01/12/15 16:38:57: Attempting to sync password for frank
01/12/15 16:38:57: Searching for (ntuserdomainid=frank)
01/12/15 16:38:57: There are no entries that match: frank
01/12/15 16:38:57: Deferring password change for frank
01/12/15 16:38:57: Attempting to sync password for aduser1
01/12/15 16:38:57: Searching for (ntuserdomainid=aduser1)
01/12/15 16:38:57: There are no entries that match: aduser1
01/12/15 16:38:57: Deferring password change for aduser1
01/12/15 16:38:57: Backing off for 8000ms


Expected results:
Passwords must sync on IPA server

Additional info:

mkosek commented 9 years ago

Patch freeipa-mkosek-489-allow-replication-administrators-to-manipulate-winsy.patch sent for review

mkosek commented 9 years ago

This is a regression and needs to addressed in 4.0.x.

mkosek commented 9 years ago

Testing Instructions

Either test with PassSync software directly or verify that passsync system user can see NT attribute and change user passwords:

# ldapsearch -D "uid=passsync,cn=sysaccounts,cn=etc,dc=mkosek-f21,dc=test" -x
-w Secret123 -b cn=users,cn=accounts,dc=mkosek-f21,dc=test
"(ntuserdomainid=testuser)" ntuserdomainid
# extended LDIF
#
# LDAPv3
# base <cn=users,cn=accounts,dc=mkosek-f21,dc=test> with scope subtree
# filter: (ntuserdomainid=testuser)
# requesting: ntuserdomainid
#

# testuser, users, accounts, mkosek-f21.test
dn: uid=testuser,cn=users,cn=accounts,dc=mkosek-f21,dc=test
ntuserdomainid: testuser

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


# ldappasswd -D "uid=passsync,cn=sysaccounts,cn=etc,dc=mkosek-f21,dc=test" -x
-w Secret123 uid=testuser,cn=users,cn=accounts,dc=mkosek-f21,dc=test -s newPassword
[root@ipa ~]# echo $?
0

mkosek commented 9 years ago

attachment
freeipa-mkosek-488.2-allow-passsync-user-to-locate-and-update-nt-users.patch

mkosek commented 9 years ago

Moving to 4.0 - patch conflicts in 4.0 and is not critical enough to be adding this branch, given 4.1 is officially supported.

mkosek commented 9 years ago

master:

6652c4e Allow PassSync user to locate and update NT users

ipa-4-1:

282d1ec Allow PassSync user to locate and update NT users

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 4.1.3

7 years ago

Metadata

Assignee

mkosek

Tags

None

Blocking

None

Depending on

None

Priority

important

Milestone

FreeIPA 4.1.3

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Winsync

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

dkupka

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1181093

tester

None

changelog

None

design

None

freeipa

Source Code

#4837 Password does not sync Closed: Fixed None Opened 9 years ago by mkosek.

Metadata

#4837 Password does not sync

Closed: Fixed None Opened 9 years ago by mkosek.