The command ipa-restore deletes users with infinite maxlife (maxlife=0) when a full backup is restored.
$ ipa pwpolicy-find sysaccounts Group: sysaccounts Max lifetime (days): 0 Min lifetime (hours): 0 History size: 0 Character classes: 0 Min length: 16 Priority: 999 Max failures: 0 Failure reset interval: 0 Lockout duration: 0
$ ipa user-add example --first="Example" --last="User" --random $ ipa group-add-member sysaccounts --users=example
$ ipa user-show example --all --raw | grep -i krbPasswordExpiration # It does not exist
$ ipa-backup
$ ipa-restore /var/lib/ipa/backup/ipa-full-2020-06-29-09-09-53
The user does not exist anymore.
$ ipa user-show example ipa: ERROR: example: user not found
However, the private group for the user still exists.
$ ipa group-show example Group name: example Description: User private group for example GID: 1198800037
No user deleted.
package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64 ipa-client-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64 389-ds-base-1.4.2.4-8.module_el8.2.0+366+71e3276f.x86_64 pki-ca-10.8.3-2.module_el8.2.0+371+f5726439.noarch krb5-server-1.17-18.el8.x86_64
Does the user entry still exist in LDAP? Please perform an LDAP query as "cn=Directory Manager" and check if the entry is missing. It might be possible that the user object is hidden.
No, it does not exist.
$ ldapsearch -W -D "cn=Directory Manager" -b "cn=users,cn=accounts,dc=test,dc=local" "(uid=example)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=users,cn=accounts,dc=test,dc=local> with scope subtree # filter: (uid=example) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1
I cannot reproduce the problem with ipa-server-4.8.4-7.module+el8.2.0+6046+aaa49f96.x86_64. Could you try again with RHEL 8.2?
ipa-server-4.8.4-7.module+el8.2.0+6046+aaa49f96.x86_64
This is weird, I repeated all the steps and the user is deleted when a second backup/restore is performed.
Can you verify this behavior in your environment?
I'd suggest pulling apart the backup tarball(s) to extract userRoot.ldif to see if the user was backed up at all. It is in /var/lib/ipa/backup/ipa-full-<date>/ipa-full.tar
No query goes into backing up entries so the fact that this user has a specific password policy should not matter. This is a dump and restore of the LDAP database directly.
We are closing this bug because we have not received sufficient information to make progress. Please feel free to open this bug again when you are able to provide the required information we requested.
Metadata Update from @rcritten: - Issue close_status updated to: insufficientinfo - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.