[389-users] Re: Strange behaviour password sync , windows 2012 r2

2016-08-29 Thread Arpit Tolani 
Hello

On Mon, Aug 29, 2016 at 3:18 PM, Juan Carlos Camargo 
wrote:

> Hi, 389ds'ers,
>
> I have two 2012 r2 domain controllers with passsync 1.6 x64 installed.
> They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're
> working flawlessly.
> I dont know if it's been a software update or a change in the domain
> settings. Thing is today, one of the controllers has stopped sync'ing.
> Whenever I change one password in that controller, the following message is
> logged in passsync.log:
>
> 08/29/16 11:30:07: Password list has 1 entries
> 08/29/16 11:30:07: Attempting to sync password for juankar
> 08/29/16 11:30:07: Searching for (ntuserdomainid=juankar)
> 08/29/16 11:30:07: Checking password failed for remote entry:
> uid=juankar,ou=xxx
> 08/29/16 11:30:07: Deferring password change for juankar
>
> and in the server access log I get ldap bind err=53 when the passsync user
> tries to check the password:
>
> [29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from
> 
> [29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES
> [29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND
> dn="uid=juankar,ou=xxx" method=128 version=3
> [29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 nentries=0
> etime=0
> [29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND
>

It looks like BIND failed for that user, Can you use ldp.exe in windows to
connect to RHDS server & check.

Run ldp.exe
Connection > Connect
Enter the rhds server hostname in the server field
Enter port 636 in the port field
Check the SSL box
Click OK

Connection > Bind
Select the 'simple bind' radio button
Enter the DN uid=juankar,ou=xxx
Enter the password for the passsync account in the password field
Click OK



> [29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1
> [29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND
>
> Any hints? Could be a problem with certificates? They're both using the
> same CA (windows CA Cert serv is installed in one of the DCs)
> Regards!
>
>
>
>
>
>
>
> --
> 389-users mailing list
> 389-users@lists.fedoraproject.org
> https://lists.fedoraproject.org/admin/lists/389-users@
> lists.fedoraproject.org
>
>


-- 
Thanks & Regards
Arpit Tolani
--
389-users mailing list
389-users@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

[389-users] Re: Strange behaviour password sync , windows 2012 r2

2016-08-29 Thread Noriko Hosoi 

On 08/29/2016 02:48 AM, Juan Carlos Camargo wrote:

Hi, 389ds'ers,

I have two 2012 r2 domain controllers with passsync 1.6 x64 installed. 
They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're 
working flawlessly.
I dont know if it's been a software update or a change in the domain 
settings. Thing is today, one of the controllers has stopped sync'ing.
Could there be a certificate issue?  Did you have any chance to check 
the cert with the tool certutil?


Also, if you could try binding as the user "uid=juankar,ou=xxx" 
using an ldap command over SSL, you may be able to get more info, e.g., 
returned from the server.


Thanks.
Whenever I change one password in that controller, the following 
message is logged in passsync.log:


08/29/16 11:30:07: Password list has 1 entries
08/29/16 11:30:07: Attempting to sync password for juankar
08/29/16 11:30:07: Searching for (ntuserdomainid=juankar)
08/29/16 11:30:07: Checking password failed for remote entry: 
uid=juankar,ou=xxx

08/29/16 11:30:07: Deferring password change for juankar

and in the server access log I get ldap bind err=53 when the passsync 
user tries to check the password:


[29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection 
from 

[29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES
[29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND 
dn="uid=juankar,ou=xxx" method=128 version=3
[29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 
nentries=0 etime=0

[29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND
[29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1
[29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND

Any hints? Could be a problem with certificates? They're both using 
the same CA (windows CA Cert serv is installed in one of the DCs)

Regards!






--
389-users mailing list
389-users@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org



--
389-users mailing list
389-users@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

[389-users] Strange behaviour password sync , windows 2012 r2

2016-08-29 Thread Juan Carlos Camargo 
Hi, 389ds'ers,

I have two 2012 r2 domain controllers with passsync 1.6 x64 installed.
They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're working
flawlessly.
I dont know if it's been a software update or a change in the domain
settings. Thing is today, one of the controllers has stopped sync'ing.
Whenever I change one password in that controller, the following message is
logged in passsync.log:

08/29/16 11:30:07: Password list has 1 entries
08/29/16 11:30:07: Attempting to sync password for juankar
08/29/16 11:30:07: Searching for (ntuserdomainid=juankar)
08/29/16 11:30:07: Checking password failed for remote entry:
uid=juankar,ou=xxx
08/29/16 11:30:07: Deferring password change for juankar

and in the server access log I get ldap bind err=53 when the passsync user
tries to check the password:

[29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from 
[29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES
[29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND dn="uid=juankar,ou=xxx"
method=128 version=3
[29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 nentries=0
etime=0
[29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND
[29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1
[29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND

Any hints? Could be a problem with certificates? They're both using the
same CA (windows CA Cert serv is installed in one of the DCs)
Regards!
--
389-users mailing list
389-users@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org