Monday, August 29, 2016

[389-users] Re: Strange behaviour password sync , windows 2012 r2

Thank you both for your answers.
Sorry I should've included more lines in my log.
Bindings with the passSync user are ok. But after that, the system tries to bind with the user whose password is being changed and that's when it fails:

This is what happens when user jmml01 changes his password in Windows and he was connected to the failing controller:

Windows:

08/30/16 08:28:56: Attempting to sync password for jmml01
08/30/16 08:28:56: Searching for (ntuserdomainid=jmml01)
08/30/16 08:28:56: Checking password failed for remote entry: uid=jmml01,ou=xxxxxxx
08/30/16 08:28:56: Deferring password change for jmml01
08/30/16 08:28:56: Backing off for 4096000ms

389ds:

[30/Aug/2016:08:28:56 +0200] conn=262 fd=66 slot=66 SSL connection from A.B.C.D to A1.B1.C1.D1
[30/Aug/2016:08:28:56 +0200] conn=262 TLS1.2 256-bit AES
[30/Aug/2016:08:28:56 +0200] conn=262 op=0 BIND dn="uid=winsync,ou=xxxxxx" method=128 version=3
[30/Aug/2016:08:28:56 +0200] conn=262 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=winsync,ou=xxxxx"
[30/Aug/2016:08:28:56 +0200] conn=262 op=1 SRCH base="ou=usuarios,ou=xxx" scope=2 filter="(ntUserDomainId=jmml01)" attrs=ALL
[30/Aug/2016:08:28:56 +0200] conn=262 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[30/Aug/2016:08:28:56 +0200] conn=263 fd=67 slot=67 SSL connection from A.B.C.D to A1.B1.C1.D1
[30/Aug/2016:08:28:56 +0200] conn=263 TLS1.2 256-bit AES
[30/Aug/2016:08:28:56 +0200] conn=263 op=0 BIND dn="uid=jmml01,ou=xxxxx" method=128 version=3
[30/Aug/2016:08:28:56 +0200] conn=263 op=0 RESULT err=53 tag=97 nentries=0 etime=0
[30/Aug/2016:08:28:56 +0200] conn=263 op=1 UNBIND

However if the user was connected on the other controller, the password will be successfully changed. I also believe it's a certificate problem , I'm going to review my config on that side.

Regards!




  




2016-08-29 20:24 GMT+02:00 Noriko Hosoi <nhosoi@redhat.com>:
On 08/29/2016 02:48 AM, Juan Carlos Camargo wrote:
Hi, 389ds'ers,

I have two 2012 r2 domain controllers with passsync 1.6 x64 installed. They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're working flawlessly.
I dont know if it's been a software update or a change in the domain settings. Thing is today, one of the controllers has stopped sync'ing.
Could there be a certificate issue?  Did you have any chance to check the cert with the tool certutil?

Also, if you could try binding as the user "uid=juankar,ou=xxx...." using an ldap command over SSL, you may be able to get more info, e.g., returned from the server.

Thanks.
Whenever I change one password in that controller, the following message is logged in passsync.log:

08/29/16 11:30:07: Password list has 1 entries
08/29/16 11:30:07: Attempting to sync password for juankar
08/29/16 11:30:07: Searching for (ntuserdomainid=juankar)
08/29/16 11:30:07: Checking password failed for remote entry: uid=juankar,ou=xxx....
08/29/16 11:30:07: Deferring password change for juankar

and in the server access log I get ldap bind err=53 when the passsync user tries to check the password:

[29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from xxxx
[29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES
[29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND dn="uid=juankar,ou=xxx...." method=128 version=3
[29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 nentries=0 etime=0
[29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND
[29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1
[29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND

Any hints? Could be a problem with certificates? They're both using the same CA (windows CA Cert serv is installed in one of the DCs)
Regards!

  





--  389-users mailing list  389-users@lists.fedoraproject.org  https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org  



--
389-users mailing list
389-users@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org


No comments:

Post a Comment