[Freeipa-users] Winsync agreement password sync failing for specific user on the IPA side
Andreas Calminder
andreas.calminder at nordnet.se
Tue Apr 12 13:04:24 UTC 2016
Sorry for the noise, I did some backtracking in the mailing list
archives and found a conversation from December 2015 regarding the same
issue with a nice bugzilla attached
https://bugzilla.redhat.com/show_bug.cgi?id=1287092, I'll try to work
around the issue with group nesting.
/andreas
On 04/12/2016 02:41 PM, Andreas Calminder wrote:
> Hello,
> I've got a pretty strange problem with FreeIPA 4.2.0-15.el7 running on
> a rhel 7.2 and wondering if anyone can shed some light on it. I've
> setup a winsync agreement and it seems to be working fine, stuff gets
> synced from the AD to IPA. I've also got the PassSync application
> installed on all windows domain controllers and it's behaving a bit
> unexpected. It would seem that password changes, initiated on the
> windows side does not work for my user, however a change for another
> user pass just fine.
>
> From the passsync.log from the same Windows DC:
>
> User:
> 04/08/16 16:29:12: Attempting to sync password for user1
> 04/08/16 16:29:12: Searching for (ntuserdomainid=user1)
> 04/08/16 16:29:12: Password modified for remote entry:
> uid=user1,cn=users,cn=accounts,dc=linux,dc=se
> 04/08/16 16:29:12: Removing password change from list
>
> Me:
> 04/08/16 16:31:45: Searching for (ntuserdomainid=me)
> 04/08/16 16:31:45: Ldap error in ModifyPassword
> 50: Insufficient access
> 04/08/16 16:31:45: Modify password failed for remote entry:
> uid=me,cn=users,cn=accounts,dc=linux,dc=se
> 04/08/16 16:31:45: Deferring password change for me
> 04/08/16 16:31:45: Backing off for 2000ms
>
> Are there different permissions per user or do the passsync user on
> the IPA side need to update it's permissions (the user me is an IPA
> administrator)?
>
> I'm currently running an older ipa version 3.0.0-37.el6 against the
> same DC's, same passync user and password where this works. It also
> works fine in my test environment (4.2.0). Am I missing something
> obvious or am I doing something wrong?
>
> Best regards,
> Andreas
>
More information about the Freeipa-users
mailing list