<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello, Gonzalo,<br>
<br>
Any progress on your Password Synchronization?<br>
<br>
Let me double check a couple of things. You wrote you installed
PassSync on Windows 2013 (which could be a typo?) We support
Windows Server 2008 R2 and 2012 R2. We also confirmed it works on
Windows Server 2003 R2.<br>
<pre>> On 03/13/2015 12:45 PM, <a class="moz-txt-link-abbreviated" href="mailto:g.fer.ordas@unicyber.co.uk">g.fer.ordas@unicyber.co.uk</a> wrote:
>> I got the Password Sync Tool installed in the Windows2013 box</pre>
You can find the doc on PassSync here.<br>
<pre wrap=""><a class="moz-txt-link-freetext" href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#windows-pass-sync">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#windows-pass-sync</a></pre>
The doc is on PassSync 1.1.5, but 1.1.6 remains intact except the
default SSL version to connect to the 389 Directory Server (as we
discussed before).<br>
<br>
We had a dicussion regarding the PassSync user you had to create:<br>
<pre>uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com</pre>
FreeIPA is supposed to generate a PassSync user by running
ipa-replica-manage <b>--winsync </b><b>--passsync</b>=<i>PASSSYNC_PWD.
(See also man ipa-replica-manage).</i>
<pre wrap="">> there must some problem as FreeIPA
> creates own Passsync user in "cn=sysaccounts,cn=etc,<SUFFIX>" also sets it's DN
> as passSyncManagersDNs in ipa_pwd_extop plugin to avoid it creating expired
> passwords. So there is no need to create
> "uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" manually.
</pre>
Please see the above doc regarding the user creation.<br>
<ul>
<li class="listitem">
<div class="para"> The username of the system user which
Active Directory uses to connect to the IdM machine. This
account is configured automatically when sync is configured
on the IdM server. The default account is <code
class="command">uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com</code>.
</div>
</li>
<li class="listitem">
<div class="para"> The password set in the <code
class="option">--passsync</code> option when the sync
agreement was created. </div>
</li>
</ul>
I'm sending this response to freeipa-users to share the info and
request for more suggestions.<br>
<br>
Thanks,<br>
--noriko<br>
<br>
On 03/13/2015 02:48 PM, <a class="moz-txt-link-abbreviated" href="mailto:g.fer.ordas@unicyber.co.uk">g.fer.ordas@unicyber.co.uk</a> wrote:<br>
</div>
<blockquote
cite="mid:3bccb84836c1afa05d3e78e01c30bbde@unicyber.co.uk"
type="cite">I forgot to attach the search command now:
<br>
# passsync, users, accounts, corp.company.com
<br>
dn: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
<br>
cn: passsync
<br>
displayName: passsync
<br>
krbLastFailedAuth: 20150313211546Z
<br>
krbLoginFailedCount: 1
<br>
krbExtraData::
AALUUQNVcm9vdC9hZG1pbkBDT1JQLkhPT1RTVUlURU1FRElBLkNPTQA=
<br>
memberOf:
cn=ipausers,cn=groups,cn=accounts,dc=corp,dc=company,dc=com
<br>
krbLastPwdChange: 20150313210836Z
<br>
krbPasswordExpiration: 20150611210836Z
<br>
mepManagedEntry:
cn=passsync,cn=groups,cn=accounts,dc=corp,dc=company,d
<br>
c=com
<br>
objectClass: top
<br>
objectClass: person
<br>
objectClass: organizationalperson
<br>
objectClass: inetorgperson
<br>
objectClass: inetuser
<br>
objectClass: posixaccount
<br>
objectClass: krbprincipalaux
<br>
objectClass: krbticketpolicyaux
<br>
objectClass: ipaobject
<br>
objectClass: ipasshuser
<br>
objectClass: ipaSshGroupOfPubKeys
<br>
objectClass: mepOriginEntry
<br>
loginShell: /bin/bash
<br>
gecos: pass sync
<br>
sn: sync
<br>
homeDirectory: /home/passsync
<br>
uid: passsync
<br>
mail: <a class="moz-txt-link-abbreviated" href="mailto:passsync@corp.company.com">passsync@corp.company.com</a>
<br>
krbPrincipalName: <a class="moz-txt-link-abbreviated" href="mailto:passsync@CORP.company.COM">passsync@CORP.company.COM</a>
<br>
givenName: pass
<br>
initials: ps
<br>
userPassword:: zxxxxxxxx=
<br>
=
<br>
ipaUniqueID: 1d76b14a-c9c5-11e4-93f4-12d2e19d1e3c
<br>
uidNumber: 1481000829
<br>
gidNumber: 1481000829
<br>
krbPrincipalKey:: dfrerererer
<br>
<br>
# search result
<br>
search: 2
<br>
<br>
<br>
On 2015-03-13 21:39, <a class="moz-txt-link-abbreviated" href="mailto:g.fer.ordas@unicyber.co.uk">g.fer.ordas@unicyber.co.uk</a> wrote:
<br>
<blockquote type="cite">Hi
<br>
<br>
I had to manually create the user!! For some reason I thought
the sync
<br>
Agreement task was also creating that entry for the DS!
<br>
<br>
So now I got:
<br>
<br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=4 SRCH
<br>
base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
<br>
scope=0 filter="(objectClass=*)" attrs="telephoneNumber uid
title
<br>
loginShell uidNumber gidNumber sn homeDirectory mail ou
givenName
<br>
nsAccountLock"
<br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=4 RESULT err=0 tag=101
<br>
nentries=1 etime=0
<br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=5 SRCH
<br>
base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
<br>
scope=0 filter="(userPassword=*)" attrs="userPassword"
<br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=5 RESULT err=0 tag=101
<br>
nentries=1 etime=0
<br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=6 SRCH
<br>
base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
<br>
scope=0 filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey"
<br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=6 RESULT err=0 tag=101
<br>
nentries=1 etime=0
<br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=7 SRCH
<br>
base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
<br>
scope=0 filter="(objectClass=*)" attrs="ipaSshPubKey"
<br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=7 RESULT err=0 tag=101
<br>
nentries=1 etime=0
<br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=8 UNBIND
<br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=8 fd=103 closed - U1
<br>
[13/Mar/2015:14:27:33 -0700] conn=48 op=20 RESULT err=0 tag=101
<br>
nentries=828 etime=90 notes=U
<br>
[13/Mar/2015:14:27:33 -0700] conn=48 op=21 ABANDON
targetop=NOTFOUND msgid=16
<br>
[13/Mar/2015:14:27:33 -0700] conn=48 op=22 SRCH
<br>
base="cn=users,cn=accounts,dc=corp,dc=company,dc=com" scope=0
<br>
filter="(objectClass=*)" attrs="* aci"
<br>
[13/Mar/2015:14:27:33 -0700] conn=48 op=22 RESULT err=0 tag=101
<br>
nentries=1 etime=0
<br>
[13/Mar/2015:14:27:33 -0700] conn=48 op=23 ABANDON
targetop=NOTFOUND msgid=18
<br>
[13/Mar/2015:14:27:42 -0700] conn=67 fd=103 slot=103 connection
from ::1 to ::1
<br>
[13/Mar/2015:14:27:42 -0700] conn=67 op=0 BIND dn="cn=directory
<br>
manager" method=128 version=3
<br>
[13/Mar/2015:14:27:42 -0700] conn=67 op=0 RESULT err=0 tag=97
<br>
nentries=0 etime=0 dn="cn=directory manager"
<br>
[13/Mar/2015:14:27:42 -0700] conn=67 op=1 SRCH
<br>
base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
<br>
scope=2 filter="(objectClass=*)" attrs=ALL
<br>
[13/Mar/2015:14:27:42 -0700] conn=67 op=1 RESULT err=0 tag=101
<br>
nentries=1 etime=0 notes=U
<br>
[13/Mar/2015:14:27:42 -0700] conn=67 op=2 UNBIND
<br>
[13/Mar/2015:14:27:42 -0700] conn=67 op=2 fd=103 closed - U1
<br>
<br>
And target not found??? what else I might be missing ?
<br>
<br>
Thanks!
<br>
<br>
<br>
On 2015-03-13 21:01, Noriko Hosoi wrote:
<br>
<blockquote type="cite">On 03/13/2015 01:49 PM,
<a class="moz-txt-link-abbreviated" href="mailto:g.fer.ordas@unicyber.co.uk">g.fer.ordas@unicyber.co.uk</a> wrote:
<br>
<blockquote type="cite">Hi
<br>
<br>
Restarted... And I also have re-initiated the replica just
in case....
<br>
<br>
I can see the following:
<br>
---
<br>
3/Mar/2015:13:41:35 -0700] conn=34 op=329 RESULT err=0
tag=101 nentries=1 etime=0
<br>
[13/Mar/2015:13:41:36 -0700] conn=35 fd=84 slot=84 SSL
connection from AD.SERVER to IPA.SERVER
<br>
[13/Mar/2015:13:41:36 -0700] conn=35 SSL 128-bit AES
<br>
[13/Mar/2015:13:41:36 -0700] conn=35 op=0 BIND
dn="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
method=128 version=3
<br>
[13/Mar/2015:13:41:36 -0700] conn=35 op=0 RESULT err=32
tag=97 nentries=0 etime=0
<br>
</blockquote>
Error 32 is LDAP_NO_SUCH_OBJECT.
<br>
Do you have a user
<br>
"uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
in your
<br>
Directory Server?
<br>
<br>
On the host/VM where your Direcotry Server is running, please
run this
<br>
command line search. Does it return the entry?
<br>
ldapsearch -x -h localhost -p 389 -D 'cn=directory manager' -W
-b
<br>
"uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
<br>
<blockquote type="cite">[13/Mar/2015:13:41:36 -0700] conn=35
op=1 SRCH
base="cn=users,cn=accounts,dc=corp,dc=company,dc=com"
scope=2 filter="(ntUserDomainId=john.test)" attrs=ALL
<br>
[13/Mar/2015:13:41:36 -0700] conn=35 op=1 RESULT err=0
tag=101 nentries=1 etime=0
<br>
[13/Mar/2015:13:41:36 -0700] conn=34 op=330 SRCH
base="cn=meTohqdc1.corp.company.com,cn=replica,cn=dc\3Dcorp\2Cdc\3Dcompany\2Cdc\3Dcom,cn=mapping
tree,cn=config" scope=0 filter="(objectClass=*)"
attrs="nsds5replicaLastInitStart
nsds5replicaUpdateInProgress nsds5replicaLastInitStatus cn
nsds5BeginReplicaRefresh nsds5replicaLastInitEnd"
<br>
[13/Mar/2015:13:41:36 -0700] conn=34 op=330 RESULT err=0
tag=101 nentries=1 etime=0
<br>
[13/Mar/2015:13:41:36 -0700] conn=36 fd=101 slot=101 SSL
connection from AD.SERVER to IPA.SERVER
<br>
[13/Mar/2015:13:41:36 -0700] conn=36 SSL 128-bit AES
<br>
[13/Mar/2015:13:41:36 -0700] conn=36 op=0 BIND
dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
method=128 version=3
<br>
[13/Mar/2015:13:41:36 -0700] conn=36 op=0 RESULT err=48
tag=97 nentries=0 etime=0
<br>
[13/Mar/2015:13:41:36 -0700] conn=36 op=1 UNBIND
<br>
[13/Mar/2015:13:41:36 -0700] conn=36 op=1 fd=101 closed - U1
<br>
[13/Mar/2015:13:41:36 -0700] conn=35 op=2 MOD
dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
<br>
[13/Mar/2015:13:41:36 -0700] conn=35 op=2 RESULT err=50
tag=103 nentries=0 etime=0
<br>
</blockquote>
Since the above bind failed, your PassSync has no right to
update the
<br>
password on the Directory Server and the modify attempt failed
with
<br>
LDAP_INSUFFICIENT_ACCESS.
<br>
<br>
Thanks,
<br>
--noriko
<br>
<blockquote type="cite">[13/Mar/2015:13:41:37 -0700] conn=35
op=3 UNBIND
<br>
[13/Mar/2015:13:41:37 -0700] conn=35 op=3 fd=84 closed - U1
<br>
<br>
--
<br>
<br>
Note there are 2 errors there:
<br>
dn="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
method=128 version=3
<br>
[13/Mar/2015:13:41:36 -0700] conn=35 op=0 RESULT err=32
tag=97 nentries=0 etime=0
<br>
dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
method=128 version=3
<br>
<br>
ipa user-show John.Test
<br>
<br>
User login: john.test
<br>
<br>
First name: John
<br>
<br>
Last name: Test
<br>
<br>
Home directory: /home/john.test
<br>
<br>
Login shell: /bin/bash
<br>
<br>
UID: 1481000790
<br>
<br>
GID: 1481000790
<br>
<br>
Account disabled: False
<br>
<br>
Password: False
<br>
<br>
Kerberos keys available: False
<br>
<br>
<br>
the password is still set as False
<br>
The PassSync Tool got defined as base search:
<br>
<br>
cn=users,cn=accounts,dc=corp,dc=company,dc=com .. Which
should be all right
<br>
<br>
Thanks for all your help!
<br>
<br>
</blockquote>
</blockquote>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>