[Freeipa-users] Windows Password Synchronization Error

Thu Mar 15 20:38:37 UTC 2012

Bennet Lingner wrote:
> Something more:
>
> On FreeIPA side there are built these errors too:
>
> [15/Mar/2012:10:02:02 +0100] encrypt_encode_key - [file
> ipapwd_encoding.c, line 451]: krb5_c_string_to_key failed [Invalid argument]
>
> [15/Mar/2012:10:02:02 +0100] ipapwd_gen_hashes - [file
> ipapwd_encoding.c, line 776]: key encryption/encoding failed

It is failing trying to create a Kerberos key out of the password. I'm 
not sure why at the moment, that is a very strange message coming out of 
the krb5 libs.

rob

>
> *Von:*Bennet Lingner [mailto:b.lingner at zik.hs-anhalt.de]
> *Gesendet:* Donnerstag, 15. März 2012 10:34
> *An:* 'freeipa-users at redhat.com'
> *Betreff:* AW: Windows Password Synchronization Error
>
> Hi,
>
> Thank you for your reply.
>
> Version of freeipa and 389 packages:
>
> Freeipa server, python, admintools, client, server-selinux all in
> 2.1.4-5.fc16.i686
>
> 389-ds-base-1.2.10.3-1.fc16.i686 + libs
>
> Platform is Fedora 16 3.2.9-2.fc16.i686.PAE on AMD Opteron CPU
>
> Ldapmodify and ipa passwd are working perfectly, I’ve changed password
> in this ways and passwords were synchronized.
>
> So I conclude the problem is specific to AD Passsync?
>
> If it is so, do I have the possibility on AD side too to set or try
> something?
>
> Best regards.
>
> Bennet Lingner
>
> *Von:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Gesendet:* Mittwoch, 14. März 2012 16:31
> *An:* Bennet Lingner
> *Betreff:* Re: Windows Password Synchronization Error
>
> On 03/14/2012 06:29 AM, Bennet Lingner wrote:
>
> Dear Mr. Megginson,
>
> I’ve seen in www, that you are very involved in 389 directory server,
> that’s why I decided to send this mail to you.
>
> I hope you can help me.
>
>     I’m running a WIN2K8 R2 64 bit and a fedora Linux 32 bit with freeipa.
>
> In the future, please use the freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com> email list. Please also include the
> versions of your freeipa and 389 packages:
> rpm -qa|grep freeipa
> rpm -qa|grep 389
>
> There is a win sync agreement, which works very well, even the passwords
> are synchronized.
>
> The only problem is that:
>
> If I set a new password on windows side with more than 2 special
> characters, e.g. ‘!Mäusel 10’ or ‘!Rüdiger 20’
>
> Then I get the passsync error:
>
> 03/14/12 12:26:13: Ldap error in ModifyPassword
>
> 1: Operations error
>
> 03/14/12 12:26:13: Modify Password failed for remote entry: uid=…
>
> 03/14/12 12:26:13: Deferring password change for …
>
> Do you have any idea, if that could be or something else, what can I do?
>
> What is your 389-ds-base version and platform?
> Can you use ldapmodify to change the user password to one of the above
> values? Can you use ipa-passwd? That is, is the problem specific to AD
> PassSync, or is it a problem with these types of passwords in general?
>
> Best regards.
>
> Mit freundlichen Grüßen
>
> Bennet Lingner
>
> *Hochschule Anhalt *- ZIK
>
> b.lingner at zik.hs-anhalt.de <mailto:b.lingner at zik.hs-anhalt.de>
>
> Tel. +49 (0) 3496 67-5420
>
> Fax +49 (0) 3496 67-95420
>
> Bernburger Straße 55
>
> 06366 Köthen (Anhalt)
>
> Hochschule Anhalt (FH) * Bernburger Straße 55 * D 06366 Köthen
> Präsident Prof. Dr. Dr. h.c. Dieter Orzessek * Tel.: +49 (0) 3496 67
> 1000 * Fax +49 (0) 3496 67 1099
> Betriebsnummer 030 77 111 * Umsatzsteuernummer DE 8140 92 585
> Zuständige Aufsichtsbehörde Kultusministerium des Landes Sachsen-Anhalt,
> PF 3765, 39012 Magdeburg
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users