[Freeipa-users] ipa-winsync account disable
Rich Megginson
rmeggins at redhat.com
Tue Jun 21 16:20:20 UTC 2011
On 06/21/2011 09:17 AM, Attila Bogár wrote:
> Dear List,
>
> winsync is working between AD and FreeIPA.
>
> If I disable a user in FreeIPA, it automatically disables on the AD side.
> Though, if I disable on the AD side, nothing happens on the FreeIPA side.
Sounds like a bug.
>
> Moreover, if I get a kerberos ticket for the disabled (only in AD)
> user from freeipa, then it automatically enables the user on the AD side.
Getting a kerberos ticket may involve internal modify operations in
freeipa - these ops will trigger the code that checks account disable
sync. Since the user is enabled in freeipa, it will attempt to sync
this state to AD. This is as expected, but since it appears disable
sync is not working from AD to ipa, it "re-enables" the user in AD.
>
> Settings for ipa-winsync are:
> # ipa-winsync, plugins, config
> dn: cn=ipa-winsync,cn=plugins,cn=config
> ipawinsyncacctdisable: both
>
> Is this the expected behaviour?
What version of Windows? 32-bit or 64-bit?
Can you run with the REPL and PLUGIN log levels on? That may reveal
some useful clue.
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
>
> Thanks,
> Attila
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list