[Fedora-directory-users] PassSync only working one way

Nathan Kinder nkinder at redhat.com
Wed Jun 14 15:54:01 UTC 2006 

Jeff Gamsby wrote:
>
> Thanks for responding.
> I have windows 2000, the default password policy is disabled by 
> default, but I did turn it on to see if that was the problem and also 
> tried more complex passwords when testing. Nothing has worked so far. 
> I'm not even sure if there is any other tests that I can do, I've 
> turned up the logging, but it still doesn't give me any clues as to 
> what is going on.
Are you saying that you enabled Active Directorys password complexity 
option?  I'm pretty sure that is required for passwords to sync from FDS 
-> AD.  You could also attempt to use ldapmodify against AD to remotely 
change a users password over SSL as a test.

It sounds like everything with the PassSync service is fine since 
passwords are working from AD -> FDS.

-NGK
>
> Thanks,
> Jeff
>
> nattapon viroonsri wrote:
>>
>> When i add user or change password at fds side , it stuck with 
>> windows (2003)  default password policy.
>> So i  have to chage to more strict password or disable policy at ads ,
>> then fds  sync with ads completely.( can log on to ads with same 
>> password as fds user)
>>
>> im not sure this is  same case as you.
>>
>> Regards,
>> Nattapon
>>
>>
>>> From: Jeff Gamsby <JFGamsby at lbl.gov>
>>> Reply-To: "General discussion list for the Fedora Directory server 
>>> project." <fedora-directory-users at redhat.com>
>>> To: "General discussion list for the Fedora Directory server 
>>> project." <fedora-directory-users at redhat.com>
>>> Subject: [Fedora-directory-users] PassSync only working one way
>>> Date: Tue, 13 Jun 2006 15:08:03 -0700
>>> MIME-Version: 1.0
>>> Received: from hormel.redhat.com ([209.132.177.30]) by 
>>> bay0-mc4-f5.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); 
>>> Tue, 13 Jun 2006 15:08:15 -0700
>>> Received: from listman.util.phx.redhat.com 
>>> (listman.util.phx.redhat.com [10.8.4.110])by hormel.redhat.com 
>>> (Postfix) with ESMTPid 7DA3A73550; Tue, 13 Jun 2006 18:08:12 -0400 
>>> (EDT)
>>> Received: from int-mx1.corp.redhat.com 
>>> (int-mx1.corp.redhat.com[172.16.52.254])by 
>>> listman.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP 
>>> idk5DM8BEP021980for 
>>> <fedora-directory-users at listman.util.phx.redhat.com>;Tue, 13 Jun 
>>> 2006 18:08:11 -0400
>>> Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])by 
>>> int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP 
>>> idk5DM8B7P010237for <fedora-directory-users at redhat.com>; Tue, 13 Jun 
>>> 2006 18:08:11 -0400
>>> Received: from mta1.lbl.gov (mta1.lbl.gov [128.3.41.24])by 
>>> mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP 
>>> idk5DM8ATa017845for <fedora-directory-users at redhat.com>; Tue, 13 Jun 
>>> 2006 18:08:10 -0400
>>> Received: from mta1.lbl.gov (localhost [127.0.0.1])by mta1.lbl.gov 
>>> (8.13.6/8.13.6) with ESMTP id k5DM83Do029430for 
>>> <fedora-directory-users at redhat.com>;Tue, 13 Jun 2006 15:08:03 -0700 
>>> (PDT)
>>> Received: from [131.243.161.186] (charlie.lbl.gov 
>>> [131.243.161.186])by mta1.lbl.gov (8.13.6/8.13.6) with ESMTP id 
>>> k5DM82oT029426for <fedora-directory-users at redhat.com>;Tue, 13 Jun 
>>> 2006 15:08:03 -0700 (PDT)
>>> X-Message-Info: LsUYwwHHNt1YGVdsJHk9XJ3CjXqSQnQhAaTm5/PIsXI=
>>> User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
>>> X-Virus-Scanned: ClamAV 0.88.2/1538/Tue Jun 13 13:17:56 2006 on mta1
>>> X-Virus-Status: Clean
>>> X-RedHat-Spam-Score: 0 X-loop: fedora-directory-users at redhat.com
>>> X-BeenThere: fedora-directory-users at redhat.com
>>> X-Mailman-Version: 2.1.5
>>> Precedence: junk
>>> List-Id: "General discussion list for the Fedora Directory server 
>>> project."<fedora-directory-users.redhat.com>
>>> List-Unsubscribe: 
>>> <https://www.redhat.com/mailman/listinfo/fedora-directory-users>,<mailto:fedora-directory-users-request at redhat.com?subject=unsubscribe> 
>>>
>>> List-Archive: <https://www.redhat.com/archives/fedora-directory-users>
>>> List-Post: <mailto:fedora-directory-users at redhat.com>
>>> List-Help: 
>>> <mailto:fedora-directory-users-request at redhat.com?subject=help>
>>> List-Subscribe: 
>>> <https://www.redhat.com/mailman/listinfo/fedora-directory-users>,<mailto:fedora-directory-users-request at redhat.com?subject=subscribe> 
>>>
>>> Errors-To: fedora-directory-users-bounces at redhat.com
>>> Return-Path: fedora-directory-users-bounces at redhat.com
>>> X-OriginalArrivalTime: 13 Jun 2006 22:08:16.0215 (UTC) 
>>> FILETIME=[DEE3D670:01C68F35]
>>>
>>> I thought that I had the PassSync working until I ran into this 
>>> problem:
>>>
>>> Passwords are not synchronized from FDS to AD.  When accounts are 
>>> added to FDS, they do show up in AD ( Although sometimes the cn 
>>> attribute gets base64 encoded ), but I cannot authenticate to AD. 
>>> When I change passwords in the FDS side, they are not changed ( or 
>>> not sent ) to AD. If I change passwords in AD, they are changed in 
>>> the FDS.
>>>
>>> The logs show that something is happening (changed host names and dn's)
>>>
>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>>> (ad:636): No linger to cancel on the connection
>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - 
>>> windows_acquire_replica returned success (101)
>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>>> (ad:636): State: ready_to_acquire_replica -> sending_updates
>>> [13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay 
>>> (agmt="cn=AD" (ad:636)): Consumer RUV:
>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>>> (ad:636): {replicageneration} 448f18ae000000010000
>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>>> (ad:636): {replica 1 ldap://fds:389} 448f18e4000100010000 
>>> 448f363d03d400010000 448f363d
>>> [13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay 
>>> (agmt="cn=AD" (ad:636)): Supplier RUV:
>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>>> (ad:636): {replicageneration} 448f18ae000000010000
>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>>> (ad:636): {replica 1 ldap://fds:389} 448f18e4000100010000 
>>> 448f363d03d700010000 448f363d
>>> [13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - session start: 
>>> anchorcsn=448f363d03d400010000
>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - changelog 
>>> program - agmt="cn=AD" (ad:636): CSN 448f363d03d400010000 found, 
>>> position set for replay
>>> [13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - load=1 rec=1 
>>> csn=448f363d03d600010000
>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>>> (ad:636): windows_replay_update: Looking at modify operation local 
>>> dn="uid=user,ou=people,dc=server,dc=,dc=" (ours,user,not group)
>>> [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
>>> (ad:636): windows_replay_update: Processing modify operation local 
>>> dn="uid=user,ou=people,dc=server,dc=,dc=" remote 
>>> dn="<GUID=16f869dcfdde3d42bcb075fd4a1c7980>"
>>>
>>>
>>> I'm not sure what is going on, I can talk via SSL from FDS to AD, 
>>> and I'm assuming that the PassSync service is working properly since 
>>> the changes from AD to FDS work.
>>>
>>> Any suggestions?
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>> _________________________________________________________________
>> Express yourself instantly with MSN Messenger! Download today it's 
>> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060614/309a53d6/attachment.bin>

More information about the Fedora-directory-users mailing list