Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-16141

[RFE]: Allow deletion of computer objects that have subobjects through adcli

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • adcli-0.9.3.1-1.el10
    • None
    • Low
    • rhel-idm-sssd
    • ssg_idm
    • FutureFeature
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Enhancement
    • Hide
      .Recursive deletion for computer objects added to `adcli`

      The `adcli delete-computer` command supports the `--recursive` option to delete computer objects from Active Directory, including their child objects. Previously, attempting to delete a computer object that contained child objects, such as metadata for BitLocker drive recovery, failed with a `CANT_ON_NON_LEAF` error in AD. With this update, users can cleanly delete computer objects that contain child objects via `adcli`.
      Show
      .Recursive deletion for computer objects added to `adcli` The `adcli delete-computer` command supports the `--recursive` option to delete computer objects from Active Directory, including their child objects. Previously, attempting to delete a computer object that contained child objects, such as metadata for BitLocker drive recovery, failed with a `CANT_ON_NON_LEAF` error in AD. With this update, users can cleanly delete computer objects that contain child objects via `adcli`.
    • Done
    • x86_64
    • None

      What were you trying to do that didn't work?

      Trying to delete the computer object which have sub-objects under it using adcli delete-computer. However it fails with an error.

      1. /usr/sbin/adcli delete-computer --verbose --login-user=admin --domain=ad.example.org --domain-realm=AD.EXAMPLE.ORG --domain-controller=hostname.ad.example.org client1234

       

       

      Please provide the package NVR for which bug is seen:

      • adcli-0.9.2-1.el8.x86_64

       

       

      How reproducible:

      • Configure RHEL 8.8 system as a client to AD by joining the system using adcli.
      • Add some stuff like printers and other stuff under this object.
      • Then try to delete the object using
      1. /usr/sbin/adcli delete-computer --verbose --login-user=admin --domain=ad.example.org --domain-realm=AD.EXAMPLE.ORG --domain-controller=hostname.ad.example.org client1234

       

       

      Expected results

      Object should get deleted or should show some warning and then should have an option to force delete it if the user wants to still delete it after the warning.

       

       

      Actual results :

      It fails with below error :

      • Found computer account for client1234$ at: CN=client1234,CN=Computers,DC=ad,DC=example,DC=org
        ! Couldn't delete computer account: CN=client1234,CN=Computers,DC=ad,DC=example,DC=org: 00002015: UpdErr: DSID-031A123E, problem 6003 (CANT_ON_NON_LEAF), data 0

      adcli: deleting client1234 in ad.example.org domain failed: Couldn't delete computer account: CN=client1234,CN=Computers,DC=ad,DC=example,DC=org: 00002015: UpdErr: DSID-031A123E, problem 6003 (CANT_ON_NON_LEAF), data 0

              sbose@redhat.com Sumit Bose
              rhn-support-apeddire AbhinayReddy Peddireddy
              Sumit Bose Sumit Bose
              Shridhar Gadekar Shridhar Gadekar
              Dominika Borges Dominika Borges
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated: