On 06/21/2011 09:17 AM, Attila Bogár wrote:
Dear List,
winsync is working between AD and FreeIPA.
If I disable a user in FreeIPA, it automatically disables on the AD side.
Though, if I disable on the AD side, nothing happens on the FreeIPA side.
Sounds like a bug.
Moreover, if I get a kerberos ticket for the disabled (only in AD)
user from freeipa, then it automatically enables the user on the AD side.
Getting a kerberos ticket may involve internal modify operations in
freeipa - these ops will trigger the code that checks account disable
sync. Since the user is enabled in freeipa, it will attempt to sync
this state to AD. This is as expected, but since it appears disable
sync is not working from AD to ipa, it re-enables the user in AD.
Settings for ipa-winsync are:
# ipa-winsync, plugins, config
dn: cn=ipa-winsync,cn=plugins,cn=config
ipawinsyncacctdisable: both
Is this the expected behaviour?
What version of Windows? 32-bit or 64-bit?
Can you run with the REPL and PLUGIN log levels on? That may reveal
some useful clue.
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
Thanks,
Attila
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
