[389-users] AD2008 on 64 bit windows, 389 Directory Server passwords...

Rich Megginson rmeggins at redhat.com
Wed Nov 4 14:24:05 UTC 2009 

Anne Cross wrote:
> Rich Megginson wrote:
>> Anne Cross wrote:
>>> I'm trying to sync passwords from 389 to Active Directory.
>>>
>>> If we import users from AD, then try to change their passwords, the 
>>> replication locks up.
>> Can you be more specific?  Have you tried the replication log level 
>> (which also logs winsync data) - 
>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
> I turned on replication logging through the GUI, which set it to 8192, 
> much as the ldapmodify would have.
>
> What we see on the AD side is that the replication manager says, 
> effectively, "Change the password," and then it *appears* that the 
> replication manager account attempts to change users to the become to 
> the user whose password is being changed; then, the software attempts 
> to change the password, which fails. the bad password attempt counter 
> increments, and the replication manager account appears to log out.
>
> On the Directory Server side, we see everything connect, the user is 
> resolved on both sides, and then after about 15 minutes, the 
> connection disconnects due to idleness.
>
> This is the log of the user add using a cleartext password on the ldap 
> side:
>
> [22/Oct/2009:11:06:03 -0400] NSMMReplicationPlugin - 
> agmt="cn=ita4windc2" (ita4windc2:636): windows_replay_update: Looking 
> at add operation local 
> dn="uid=juniper,ou=Employees,ou=Users,ou=People,dc=itasoftware,dc=com" 
> (ours,user,not group)
> [22/Oct/2009:11:06:03 -0400] NSMMReplicationPlugin - 
> agmt="cn=ita4windc2" (ita4windc2:636): map_entry_dn_outbound: looking 
> for AD entry for DS 
> dn="uid=juniper,ou=Employees,ou=Users,ou=People,dc=itasoftware,dc=com" 
> guid="(null)"
> [22/Oct/2009:11:06:03 -0400] NSMMReplicationPlugin - 
> agmt="cn=ita4windc2" (ita4windc2:636): map_entry_dn_outbound: looking 
> for AD entry for DS 
> dn="uid=juniper,ou=Employees,ou=Users,ou=People,dc=itasoftware,dc=com" 
> username="juniper"
> [22/Oct/2009:11:06:03 -0400] NSMMReplicationPlugin - 
> agmt="cn=ita4windc2" (ita4windc2:636): map_entry_dn_outbound: entry 
> not found - rc 0
> [22/Oct/2009:11:06:03 -0400] NSMMReplicationPlugin - 
> agmt="cn=ita4windc2" (ita4windc2:636): windows_replay_update: 
> Processing add operation local 
> dn="uid=juniper,ou=Employees,ou=Users,ou=People,dc=itasoftware,dc=com" 
> remote dn="cn=Juniper 
> Cross,ou=Employees,ou=Users,ou=People,dc=corp,dc=itasoftware,dc=com"
> [22/Oct/2009:11:06:03 -0400] NSMMReplicationPlugin - 
> agmt="cn=ita4windc2" (ita4windc2:636): process_replay_add: 
> dn="cn=Juniper 
> Cross,ou=Employees,ou=Users,ou=People,dc=corp,dc=itasoftware,dc=com" 
> (not present,add allowed)
> [22/Oct/2009:11:06:03 -0400] NSMMReplicationPlugin - 
> agmt="cn=ita4windc2" (ita4windc2:636): Received result code 0 () for 
> add operation
>
> That's it, until ten minutes later when I tried to change the password:
>
> [22/Oct/2009:11:16:02 -0400] agmt="cn=ita4windc2" (ita4windc2:636) - 
> load next: anchorcsn=4ae073560000104d0000
> [22/Oct/2009:11:16:02 -0400] agmt="cn=ita4windc2" (ita4windc2:636) - 
> load=3 rec=7 csn=4ae075280000104d0000
> [22/Oct/2009:11:16:02 -0400] NSMMReplicationPlugin - 
> agmt="cn=ita4windc2" (ita4windc2:636): windows_replay_update: Looking 
> at modify operation local 
> dn="uid=juniper,ou=employees,ou=users,ou=people,dc=itasoftware,dc=com" 
> (ours,user,not group)
> [22/Oct/2009:11:16:02 -0400] NSMMReplicationPlugin - 
> agmt="cn=ita4windc2" (ita4windc2:636): map_entry_dn_outbound: looking 
> for AD entry for DS 
> dn="uid=juniper,ou=Employees,ou=Users,ou=People,dc=itasoftware,dc=com" 
> guid="(null)"
> [22/Oct/2009:11:16:02 -0400] NSMMReplicationPlugin - 
> agmt="cn=ita4windc2" (ita4windc2:636): map_entry_dn_outbound: looking 
> for AD entry for DS 
> dn="uid=juniper,ou=Employees,ou=Users,ou=People,dc=itasoftware,dc=com" 
> username="juniper"
> [22/Oct/2009:11:16:02 -0400] NSMMReplicationPlugin - 
> agmt="cn=ita4windc2" (ita4windc2:636): map_entry_dn_outbound: found AD 
> entry dn="CN=Juniper 
> Cross,OU=Employees,OU=Users,OU=People,DC=corp,DC=itasoftware,DC=com"
> [22/Oct/2009:11:16:02 -0400] NSMMReplicationPlugin - 
> agmt="cn=ita4windc2" (ita4windc2:636): windows_replay_update: 
> Processing modify operation local 
> dn="uid=juniper,ou=employees,ou=users,ou=people,dc=itasoftware,dc=com" 
> remote dn="CN=Juniper 
> Cross,OU=Employees,OU=Users,OU=People,DC=corp,DC=itasoftware,DC=com"
>
> Nada.  The badPwdCounter just increments, and the password remains unset.
>
>>> If we create the users on 389, and sync them back to AD, the 
>>> password field passed back is blank in Windows.
>> When you create the users on 389, are you using the clear text 
>> password in the userPassword field?
> We were not.  I created a test user with a cleartext password this 
> morning, and the result has been functionally identical - the 
> badPwdCounter increments, and the user password remains blank on the 
> AD side of things.
>
>>>
>>> Passsync isn't going to work because we're running 64bit Windows, so 
>>> we can't sync the passwords *from* AD.  I got this working earlier, 
>>> but that was with FDS in a test instance several months ago, and I 
>>> didn't write down what I did.  (And I am kicking myself over that.)  
>>> We can live without people changing their passwords on AD as long as 
>>> we *can* sync passwords down from 389.
>> We are working on 64-bit Windows support.
> Oh, hurrah!  Are you also going to change it so that passsync doesn't 
> store the password in cleartext in the registry? Our Windows admin 
> just about took my head off when he found that. :/  I'll see if I can 
> get him to let me use the administrator account on Windows to test 
> with, though.
64-bit Windows Server 2008 PassSync is now available - version 1.1.2 - 
http://directory.fedoraproject.org/wiki/Release_Notes
>
>    -- juniper
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20091104/226249cb/attachment.bin>

More information about the Fedora-directory-users mailing list