Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1181093
Description of problem: Password of AD user is not syncing to IPA Version-Release number of selected component (if applicable): [root@sideswipe ~]# rpm -q ipa-server 389-ds-base ipa-server-4.1.0-13.el7.x86_64 389-ds-base-1.3.3.1-11.el7.x86_64 How reproducible: Steps to Reproduce: 1. Install IPA 2. Create winsync agreement 3. Add new user on AD and set password 4. Reset password of existing user 5. Passwords in above cases should sync on IPA server Actual results: [root@sideswipe ~]# hostname sideswipe.ipasync.test [root@sideswipe ~]# ipa user-show aduser1 User login: aduser1 First name: ads Last name: user Home directory: /home/aduser1 Login shell: /bin/sh Email address: aduser1@testrelm.test UID: 184400014 GID: 184400014 Telephone Number: 66778839 Account disabled: False Password: False Kerberos keys available: False Logs on resetting password on AD 01/12/15 16:38:50: Received passhook event. Attempting sync 01/12/15 16:38:50: 1 new entries loaded from data file 01/12/15 16:38:50: Cleared contents of data file 01/12/15 16:38:50: Password list has 2 entries 01/12/15 16:38:51: Attempting to sync password for frank 01/12/15 16:38:51: Searching for (ntuserdomainid=frank) 01/12/15 16:38:51: There are no entries that match: frank 01/12/15 16:38:51: Deferring password change for frank 01/12/15 16:38:51: Attempting to sync password for aduser1 01/12/15 16:38:51: Searching for (ntuserdomainid=aduser1) 01/12/15 16:38:51: There are no entries that match: aduser1 01/12/15 16:38:51: Deferring password change for aduser1 01/12/15 16:38:51: Backing off for 2000ms 01/12/15 16:38:53: Backoff time expired. Attempting sync 01/12/15 16:38:53: Password list has 2 entries 01/12/15 16:38:53: Attempting to sync password for frank 01/12/15 16:38:53: Searching for (ntuserdomainid=frank) 01/12/15 16:38:53: There are no entries that match: frank 01/12/15 16:38:53: Deferring password change for frank 01/12/15 16:38:53: Attempting to sync password for aduser1 01/12/15 16:38:53: Searching for (ntuserdomainid=aduser1) 01/12/15 16:38:53: There are no entries that match: aduser1 01/12/15 16:38:53: Deferring password change for aduser1 01/12/15 16:38:53: Backing off for 4000ms 01/12/15 16:38:57: Backoff time expired. Attempting sync 01/12/15 16:38:57: Password list has 2 entries 01/12/15 16:38:57: Attempting to sync password for frank 01/12/15 16:38:57: Searching for (ntuserdomainid=frank) 01/12/15 16:38:57: There are no entries that match: frank 01/12/15 16:38:57: Deferring password change for frank 01/12/15 16:38:57: Attempting to sync password for aduser1 01/12/15 16:38:57: Searching for (ntuserdomainid=aduser1) 01/12/15 16:38:57: There are no entries that match: aduser1 01/12/15 16:38:57: Deferring password change for aduser1 01/12/15 16:38:57: Backing off for 8000ms Expected results: Passwords must sync on IPA server Additional info:
Patch freeipa-mkosek-489-allow-replication-administrators-to-manipulate-winsy.patch sent for review
This is a regression and needs to addressed in 4.0.x.
Testing Instructions
Either test with PassSync software directly or verify that passsync system user can see NT attribute and change user passwords:
# ldapsearch -D "uid=passsync,cn=sysaccounts,cn=etc,dc=mkosek-f21,dc=test" -x -w Secret123 -b cn=users,cn=accounts,dc=mkosek-f21,dc=test "(ntuserdomainid=testuser)" ntuserdomainid # extended LDIF # # LDAPv3 # base <cn=users,cn=accounts,dc=mkosek-f21,dc=test> with scope subtree # filter: (ntuserdomainid=testuser) # requesting: ntuserdomainid # # testuser, users, accounts, mkosek-f21.test dn: uid=testuser,cn=users,cn=accounts,dc=mkosek-f21,dc=test ntuserdomainid: testuser # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 # ldappasswd -D "uid=passsync,cn=sysaccounts,cn=etc,dc=mkosek-f21,dc=test" -x -w Secret123 uid=testuser,cn=users,cn=accounts,dc=mkosek-f21,dc=test -s newPassword [root@ipa ~]# echo $? 0
attachment freeipa-mkosek-488.2-allow-passsync-user-to-locate-and-update-nt-users.patch
Moving to 4.0 - patch conflicts in 4.0 and is not critical enough to be adding this branch, given 4.1 is officially supported.
master:
ipa-4-1:
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 4.1.3
Login to comment on this ticket.