Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1182477
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: ipawinsyncacctdisable is set to both, but users enable/disbable does not sync from AD to IPA and back. Version-Release number of selected component (if applicable): [root@sideswipe ~]# rpm -q ipa-server ipa-server-4.1.0-15.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Setup IPA server 2. Add winsync agreement with an AD 3. Disable user on AD 4. Disable a synced AD user in IPA Actual results: 3. User is not disabled in IPA 4. User is not disabled in AD Expected results: User disabled/enabled is synced to the other server Additional info: User disabled on AD [root@sideswipe ~]# ldapsearch -x -h ad12srv1.adtest.qe -D "CN=Administrator,CN=Users,dc=adtest,dc=qe" -w Secret123 -b "CN=ads09 user,CN=Users,dc=adtest,dc=qe" userAccountControl | grep 514 userAccountControl: 514 After winsync interval user is not disabled on IPA [root@sideswipe ~]# ipa user-show aduser09 | grep "Account disabled" Account disabled: False
It was found out, that in downstream (RHEL) this will be fixed purely in 389-ds-base. I need to find out what is the planned DS fix for Fedora/upstream.
Noriko confirmed in the downstream bug that upstream/Fedora DS will do the same fix. Nothing to be done on the FreeIPA side then.
Metadata Update from @mkosek: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.