[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] ipa-winsync account disable

On 06/21/2011 09:17 AM, Attila Bogár wrote:
Dear List,

winsync is working between AD and FreeIPA.

If I disable a user in FreeIPA, it automatically disables on the AD side.
Though, if I disable on the AD side, nothing happens on the FreeIPA side.
Sounds like a bug.

Moreover, if I get a kerberos ticket for the disabled (only in AD) user from freeipa, then it automatically enables the user on the AD side.
Getting a kerberos ticket may involve internal modify operations in freeipa - these ops will trigger the code that checks account disable sync. Since the user is enabled in freeipa, it will attempt to sync this state to AD. This is as expected, but since it appears disable sync is not working from AD to ipa, it "re-enables" the user in AD.

Settings for ipa-winsync are:
# ipa-winsync, plugins, config
dn: cn=ipa-winsync,cn=plugins,cn=config
ipawinsyncacctdisable: both

Is this the expected behaviour?
What version of Windows?  32-bit or 64-bit?
Can you run with the REPL and PLUGIN log levels on? That may reveal some useful clue.


Freeipa-users mailing list
Freeipa-users redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]