[Freeipa-users] Question about ipa user accounts and the compat container

[Alexander Bokovoy]

On to, 09 maalis 2017, Robert Johnson wrote:
>Hello,
>
>I am running into an odd issue haven't been able to find any information
>through searching on this issue online.
>
>Environment: We are currently have a IPA master running
>ipa-server-4.4.0-14.el7_3.4.x86_64 on a RHEL 7.3 server.  We have a mix of
>RHEL 6.8, RHEL 7.x and Solaris 10 clients. We also have a one way trust to
>a windows domain.  Compatibility mode is enabled.
>
>The issue I'm seeing is that when I delete an IPA domain user through the
>web gui, the user account doesn't appear to be removed completely from the
>system.  I verified via "ipa user-find" that the user is no longer in the
>system.  I also checked via "ldapsearch" that the user account doesn't
>exist in the "accounts" container.  However, when I look in the "users,
>compat" container, that user still exists.
>
>This is causing problems with my Solaris clients since they are pointing to
>the compat tree so that we can login with the windows accounts on those
>servers.  The Solaris client is still seeing the account as being valid and
>is asking the user for a password on login which fails because the account
>doesn't exist in the IPA domain anymore.
>
>Do I need to remove the account from the ldap compat container manually or
>is the IPA user delete command (through the gui and/or command line)
>suppose to take care of this ?  Or is there is some sort of clean up
>process that I have to wait for to occur before this account gets removed
>from that container ?  If so, what is the time frame ?
Compat tree is automatically generated. It also tracks existing objects,
so any time the object is removed from the primary tree, it should be
cleared from the compat tree as well.

If you can reliably demonstrate the problem using
http://www.freeipa.org/page/Demo (it has compat tree enabled), then feel
free to open a bug.

-- 
/ Alexander Bokovoy