[Freeipa-users] Winsync agreement password sync failing for specific user on the IPA side
Andreas Calminder
andreas.calminder at nordnet.se
Tue Apr 12 12:41:45 UTC 2016
Hello,
I've got a pretty strange problem with FreeIPA 4.2.0-15.el7 running on a
rhel 7.2 and wondering if anyone can shed some light on it. I've setup a
winsync agreement and it seems to be working fine, stuff gets synced
from the AD to IPA. I've also got the PassSync application installed on
all windows domain controllers and it's behaving a bit unexpected. It
would seem that password changes, initiated on the windows side does not
work for my user, however a change for another user pass just fine.
From the passsync.log from the same Windows DC:
User:
04/08/16 16:29:12: Attempting to sync password for user1
04/08/16 16:29:12: Searching for (ntuserdomainid=user1)
04/08/16 16:29:12: Password modified for remote entry:
uid=user1,cn=users,cn=accounts,dc=linux,dc=se
04/08/16 16:29:12: Removing password change from list
Me:
04/08/16 16:31:45: Searching for (ntuserdomainid=me)
04/08/16 16:31:45: Ldap error in ModifyPassword
50: Insufficient access
04/08/16 16:31:45: Modify password failed for remote entry:
uid=me,cn=users,cn=accounts,dc=linux,dc=se
04/08/16 16:31:45: Deferring password change for me
04/08/16 16:31:45: Backing off for 2000ms
Are there different permissions per user or do the passsync user on the
IPA side need to update it's permissions (the user me is an IPA
administrator)?
I'm currently running an older ipa version 3.0.0-37.el6 against the same
DC's, same passync user and password where this works. It also works
fine in my test environment (4.2.0). Am I missing something obvious or
am I doing something wrong?
Best regards,
Andreas
More information about the Freeipa-users
mailing list