The same issue by the way happens when a user's membership is changed and thus removes him from the domain:
[stack@undercloud-6 ~]$ ^C [stack@undercloud-6 ~]$ openstack role add --project demo --user f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 _member_ [stack@undercloud-6 ~]$ openstack role assignment list --names +---------------+------------------------------------+-------+-----------------+------------+-----------+ | Role | User | Group | Project | Domain | Inherited | +---------------+------------------------------------+-------+-----------------+------------+-----------+ | admin | cinderv2@Default | | service@Default | | False | | _member_ | cinderv2@Default | | service@Default | | False | | admin | ceilometer@Default | | service@Default | | False | | _member_ | ceilometer@Default | | service@Default | | False | | ResellerAdmin | ceilometer@Default | | service@Default | | False | | admin | admin@Default | | admin@Default | | False | | admin | nova@Default | | service@Default | | False | | _member_ | nova@Default | | service@Default | | False | | admin | glance@Default | | service@Default | | False | | _member_ | glance@Default | | service@Default | | False | | admin | neutron@Default | | service@Default | | False | | _member_ | neutron@Default | | service@Default | | False | | admin | sahara@Default | | service@Default | | False | | _member_ | sahara@Default | | service@Default | | False | | admin | gnocchi@Default | | service@Default | | False | | _member_ | gnocchi@Default | | service@Default | | False | | ResellerAdmin | gnocchi@Default | | service@Default | | False | | admin | swift@Default | | service@Default | | False | | _member_ | swift@Default | | service@Default | | False | | admin | aodh@Default | | service@Default | | False | | _member_ | aodh@Default | | service@Default | | False | | _member_ | test@redhat | | demo@Default | | False | | admin | cinder@Default | | service@Default | | False | | _member_ | cinder@Default | | service@Default | | False | | admin | heat@Default | | service@Default | | False | | _member_ | heat@Default | | service@Default | | False | | admin | admin@Default | | | redhat | False | | admin | admin@Default | | | Default | False | | admin | heat_stack_domain_admin@heat_stack | | | heat_stack | False | +---------------+------------------------------------+-------+-----------------+------------+-----------+ [stack@undercloud-6 ~]$ openstack user list --domain redhat +------------------------------------------------------------------+----------+ | ID | Name | +------------------------------------------------------------------+----------+ | 853a331554ea0fb6e938f39256beb9f8096625c29f34bc8d88990b4198205f90 | svc-ldap | | 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | akaris | | 39e5b866156f05d6b3f95409a663a44718bec62eeabc9ec6f08ff78ef5fd457d | nalmond | +------------------------------------------------------------------+----------+ [stack@undercloud-6 ~]$ openstack role assignment list --names Could not find user: test (HTTP 404) (Request-ID: req-b12cbb45-e0a9-4971-96ab-fde229161bd9) [stack@undercloud-6 ~]$
Disabling an account in Active Directory keeps the user in the user list and hence does not have the same effect. Everything is o.k. in this case.
The same issue by the way happens when a user's membership is changed and thus removes him from the domain:
[stack@undercloud-6 ~]$ ^C 99154f85f0821ce b0f7c149de8d983 6f86eceaaa38e9f 27c2 _member_ ------- --+---- ------- ------- ------- ------- ----+-- -----+- ------- ------- --+---- ------- -+----- ------+ ------- --+---- ------- ------- ------- ------- ----+-- -----+- ------- ------- --+---- ------- -+----- ------+ domain_ admin@heat_ stack | | | heat_stack | False | ------- --+---- ------- ------- ------- ------- ----+-- -----+- ------- ------- --+---- ------- -+----- ------+ ------- ------- ------- ------- ------- ------- ------- ------- ----+-- ------- -+ ------- ------- ------- ------- ------- ------- ------- ------- ----+-- ------- -+ 6e938f39256beb9 f8096625c29f34b c8d88990b419820 5f90 | svc-ldap | 55349c62705f750 634a1d0d6803864 44dbe0f7ffd9f15 b032 | akaris | 6b3f95409a663a4 4718bec62eeabc9 ec6f08ff78ef5fd 457d | nalmond | ------- ------- ------- ------- ------- ------- ------- ------- ----+-- ------- -+ e0a9-4971- 96ab-fde229161b d9)
[stack@undercloud-6 ~]$ openstack role add --project demo --user f3f3e1b1c01c792
[stack@undercloud-6 ~]$ openstack role assignment list --names
+------
| Role | User | Group | Project | Domain | Inherited |
+------
| admin | cinderv2@Default | | service@Default | | False |
| _member_ | cinderv2@Default | | service@Default | | False |
| admin | ceilometer@Default | | service@Default | | False |
| _member_ | ceilometer@Default | | service@Default | | False |
| ResellerAdmin | ceilometer@Default | | service@Default | | False |
| admin | admin@Default | | admin@Default | | False |
| admin | nova@Default | | service@Default | | False |
| _member_ | nova@Default | | service@Default | | False |
| admin | glance@Default | | service@Default | | False |
| _member_ | glance@Default | | service@Default | | False |
| admin | neutron@Default | | service@Default | | False |
| _member_ | neutron@Default | | service@Default | | False |
| admin | sahara@Default | | service@Default | | False |
| _member_ | sahara@Default | | service@Default | | False |
| admin | gnocchi@Default | | service@Default | | False |
| _member_ | gnocchi@Default | | service@Default | | False |
| ResellerAdmin | gnocchi@Default | | service@Default | | False |
| admin | swift@Default | | service@Default | | False |
| _member_ | swift@Default | | service@Default | | False |
| admin | aodh@Default | | service@Default | | False |
| _member_ | aodh@Default | | service@Default | | False |
| _member_ | test@redhat | | demo@Default | | False |
| admin | cinder@Default | | service@Default | | False |
| _member_ | cinder@Default | | service@Default | | False |
| admin | heat@Default | | service@Default | | False |
| _member_ | heat@Default | | service@Default | | False |
| admin | admin@Default | | | redhat | False |
| admin | admin@Default | | | Default | False |
| admin | heat_stack_
+------
[stack@undercloud-6 ~]$ openstack user list --domain redhat
+------
| ID | Name |
+------
| 853a331554ea0fb
| 82ec6ba7034541d
| 39e5b866156f05d
+------
[stack@undercloud-6 ~]$ openstack role assignment list --names
Could not find user: test (HTTP 404) (Request-ID: req-b12cbb45-
[stack@undercloud-6 ~]$
Disabling an account in Active Directory keeps the user in the user list and hence does not have the same effect. Everything is o.k. in this case.