[Fedora-directory-users] Winsync Problem with NT4

Nathan Kinder nkinder at redhat.com
Thu Dec 1 16:38:44 UTC 2005 

Hartmut Wöhrle wrote:

>Hell Elliot,
>
>Am Dienstag, 29. November 2005 21:27 schrieb Elliot Schlegelmilch:
>  
>
>>I'm a bit confused now. Which password, or which actual?  You can
>>ldapsearch using the uid=admin,ou=system account and correct password.
>>    
>>
>"correct password" thats exactly my problem. I think when setting up the 
>system I did something wrong, because the answer is "Invalid Credentials 
>(49)" which means wrong password. Therefore I can not connect, not search, 
>and not modify anything.... so what to do? Uninstall and start from scratch?
>
>  
>
>>>ldapsearch works, but (as you can see below) my bind password is wrong
>>>(or I can't remember.... :) )
>>>      
>>>
>>I would suggest opening up your c:\program files\fedora directory
>>synchronization\conf\usersync.conf in your favorite editor, and see what
>>password is in it. Try binding as that user. While looking inside that
>>file look for the 'server.db.partition.suffix.usersync field.
>>
>>    
>>
>While trying to install I changed this password and now it doesn't fit - or 
>maybe I am too stupid because I can not remember. 
>
>  
>
>>Then, with this password and base, try another search.
>>
>>ldapsearch -v -h 192.168.1.218 -D  "uid=admin,ou=system" -w pw -b
>>"dc=home,dc=org" "(objectclass=*)
>>
>>I'm just guessing the base, but I assume it's something very similar.
>>
>>You should see something similar to this:
>># Guest, users, example.com
>>dn: sAMAccountName=Guest,cn=users,dc=example,dc=com
>>memberOf: sAMAccountName=Domain Guests,cn=users,dc=example,dc=com
>>lastLogon: 0
>>objectGUID: 0105000000000005150000003D725165EB1AB15BC9504D49F5010000
>>countryCode: 0
>>
>>    
>>
>Ok, so now I know what should com out - good.
>
>  
>
>>Once you can access your PDC from LDAP, there's a lot better chance that
>>your Fedora Directory Server will be able to for replication.
>>
>>    
>>
>Exactly thats why I switched to the ldapsearch, because it tells me much more 
>at the output as the logfile from Replication Log.
>
>  
>
>>>Btw... It would be nice to find a schema (written or drawn) which tells
>>>me (or everyone) how winsync and passwordsync works. The Pictures in the
>>>manuals tell me the way which way the servers exchange informations, but
>>>within the PDC (or AD) I don't know anything - it is a black box.
>>>And .... I didn't find the sources to check by myself - is it closed
>>>source?
>>>      
>>>
>>It's not closed source.
>>http://directory.fedora.redhat.com/wiki/Building#Pulling_the_Directory_Serv
>>er_Source
>>    
>>
>The Directory Server yes.
>But I don't see (maybe I'm blind) the sources for the ApacheDS at the PDC 
>(Java based) and the sources for winsync software, which comes as a .msi 
>(Microsoft Installer) File.
>So is this opensource? And where to find it?
>  
>
The ApacheDS source is available at http://directory.apache.org/

The source for the winsync software is in the same source tree as the 
Directory Server.  The PassSync.msi source is in the 
ldapserver/ldap/synctools directory.  The ntds.msi source is in the 
ldapserver/ldap/servers/ntds directory.

>And I think the manual is a little bit too small for the NT Winsync.
>With AD it is OK, because you use the LDAP Funktion of the AD and synchronise 
>like a replica - more or less.
>But what exactly happens at the NT PDC???
>I learned from this forum that winsync installs an ApacheDS as LDAP Server to 
>connect with. OK what next. How does the ApacheDS connect to the PDC. Which 
>user is used for the login - if any?
>Does it work like this:
>FDS --> ApacheDS (uid=admin,ou=system) --> NT PDC (user=?)
>or 
>FDS --> ApacheDS (uid=admin,ou=system) --> NT PDC (user=admin)
>  
>
My understanding is that the ApacheDS just serves up an LDAP 
representation of NTs SAM database.  It can access this since it is 
running as Administrator.

>And you need the replication manager (with the acl's to add, modify and delete 
>a user) at the FDS side for the synchronization? 
>So this works like this (push)
> NT PDC (user=?) --> ApacheDS (uid=admin,ou=system) --> FDS 
>(uid=replmanager,out=users)
>And how does he know which user at hte FDS to use
>Or like this (Pull)
>FDS --> ApacheDS (uid=admin,ou=system) --> NT PDC (user=?)
>  
>
FDS pulls the data from ApacheDS.

>And how does it work, when I use the Password sync? Is there a layer inbetween 
>windows admintool and PDC that reads the input and sends it to the FDS before 
>handing it to the PDC Directory - but for this it needs an account with 
>administrative rights, which one?
>  
>
The Windows LSA (local security authority) hands password changes off to 
PassSync.  The PassSync service then attempts to push this password 
change to FDS.  You need to setup a user on the FDS side that has 
permission to update the userPassword attribute for your user entries.  
It doesn't matter which user as long as they have the proper rights.

-NGK

>You see there are many questions with this challenging tool.
>
> See U
> Hartmut
>
>
>  
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3174 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20051201/23347ce8/attachment.bin>

More information about the Fedora-directory-users mailing list