[Fedora-directory-users] Winsync Problem with NT4

Elliot Schlegelmilch elliot at bozemanpass.com
Tue Nov 29 20:27:02 UTC 2005 

Hartmut Wöhrle wrote:
> Hmm, I also did a ldapsearch and got the "Invalid Credential" (log at the end)
> So this means it uses the wrong password. Because I tried a different one than 
> the actual. But when starting the ldapsearch, does it login to the ApacheDS 
> without using PDC data? Or is there a connection? And what should come 
> out.... - the whole PDC tree I think, but I'm not sure. 

I'm a bit confused now. Which password, or which actual?  You can 
ldapsearch using the uid=admin,ou=system account and correct password.

> 
> 
>>NTDS side (PDC machine). NTDS uses ApacheDS. ApacheDS stores
>>its password in its database. However originally it always initialized that
>>password to a known value. We were concerned about the security
>>implications of that and made a change to the ApacheDS code such that
>>the password is read from the config file rather than use the default value
>>(which would be the same for all installations). In order to force users
>>to set the password, I believe we refuse to function until it is set in the
>>config file. At least that's how I remember it. I'd need to look at the
>>code to be sure.
> 
> But it uses which user?
> uid=admin,ou=system 
> as default ApacheDS root entry?
> And what happens, when this User doesn't exist? And the password is set to a 
> value I can not remember? I think the only chance to solve this problem is to 
> reinstall (deinstall deletes the DS - right?) the whole winsync and have - 
> now - the user admin and use its password.
> 
> 
>>Anyway, the ldapmodify operation will be to the userpassword attribute
>>on the ApacheDS root entry. I'll look that up and post the command...
>>
>>Your problem may be that you haven't set the password in the first place.
>>It should be possible to use ldapsearch to check that your ntds is up
>>and running and answering LDAP searches correctly. Once that's proven,
>>FDS should be able to sync with it ok using the same bind credentials
>>and password.
>>
> 
> ldapsearch works, but (as you can see below) my bind password is wrong (or I 
> can't remember.... :) ) 

I would suggest opening up your c:\program files\fedora directory 
synchronization\conf\usersync.conf in your favorite editor, and see what 
password is in it. Try binding as that user. While looking inside that 
file look for the 'server.db.partition.suffix.usersync field.

Then, with this password and base, try another search.

ldapsearch -v -h 192.168.1.218 -D  "uid=admin,ou=system" -w pw -b 
"dc=home,dc=org" "(objectclass=*)

I'm just guessing the base, but I assume it's something very similar.

You should see something similar to this:
# Guest, users, example.com
dn: sAMAccountName=Guest,cn=users,dc=example,dc=com
memberOf: sAMAccountName=Domain Guests,cn=users,dc=example,dc=com
lastLogon: 0
objectGUID: 0105000000000005150000003D725165EB1AB15BC9504D49F5010000
countryCode: 0

Once you can access your PDC from LDAP, there's a lot better chance that 
your Fedora Directory Server will be able to for replication.


> 
> Btw... It would be nice to find a schema (written or drawn) which tells me (or 
> everyone) how winsync and passwordsync works. The Pictures in the manuals 
> tell me the way which way the servers exchange informations, but within the 
> PDC (or AD) I don't know anything - it is a black box.
> And .... I didn't find the sources to check by myself - is it closed source?

It's not closed source.
http://directory.fedora.redhat.com/wiki/Building#Pulling_the_Directory_Server_Source

> 
> See U
> Hartmut

More information about the Fedora-directory-users mailing list