[389-users] Re: Strange behaviour password sync , windows 2012 r2
Hello On Mon, Aug 29, 2016 at 3:18 PM, Juan Carlos Camargowrote: > Hi, 389ds'ers, > > I have two 2012 r2 domain controllers with passsync 1.6 x64 installed. > They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're > working flawlessly. > I dont know if it's been a software update or a change in the domain > settings. Thing is today, one of the controllers has stopped sync'ing. > Whenever I change one password in that controller, the following message is > logged in passsync.log: > > 08/29/16 11:30:07: Password list has 1 entries > 08/29/16 11:30:07: Attempting to sync password for juankar > 08/29/16 11:30:07: Searching for (ntuserdomainid=juankar) > 08/29/16 11:30:07: Checking password failed for remote entry: > uid=juankar,ou=xxx > 08/29/16 11:30:07: Deferring password change for juankar > > and in the server access log I get ldap bind err=53 when the passsync user > tries to check the password: > > [29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from > > [29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES > [29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND > dn="uid=juankar,ou=xxx" method=128 version=3 > [29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 nentries=0 > etime=0 > [29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND > It looks like BIND failed for that user, Can you use ldp.exe in windows to connect to RHDS server & check. Run ldp.exe Connection > Connect Enter the rhds server hostname in the server field Enter port 636 in the port field Check the SSL box Click OK Connection > Bind Select the 'simple bind' radio button Enter the DN uid=juankar,ou=xxx Enter the password for the passsync account in the password field Click OK > [29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1 > [29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND > > Any hints? Could be a problem with certificates? They're both using the > same CA (windows CA Cert serv is installed in one of the DCs) > Regards! > > > > > > > > -- > 389-users mailing list > 389-users@lists.fedoraproject.org > https://lists.fedoraproject.org/admin/lists/389-users@ > lists.fedoraproject.org > > -- Thanks & Regards Arpit Tolani -- 389-users mailing list 389-users@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
[389-users] Re: Strange behaviour password sync , windows 2012 r2
On 08/29/2016 02:48 AM, Juan Carlos Camargo wrote: Hi, 389ds'ers, I have two 2012 r2 domain controllers with passsync 1.6 x64 installed. They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're working flawlessly. I dont know if it's been a software update or a change in the domain settings. Thing is today, one of the controllers has stopped sync'ing. Could there be a certificate issue? Did you have any chance to check the cert with the tool certutil? Also, if you could try binding as the user "uid=juankar,ou=xxx" using an ldap command over SSL, you may be able to get more info, e.g., returned from the server. Thanks. Whenever I change one password in that controller, the following message is logged in passsync.log: 08/29/16 11:30:07: Password list has 1 entries 08/29/16 11:30:07: Attempting to sync password for juankar 08/29/16 11:30:07: Searching for (ntuserdomainid=juankar) 08/29/16 11:30:07: Checking password failed for remote entry: uid=juankar,ou=xxx 08/29/16 11:30:07: Deferring password change for juankar and in the server access log I get ldap bind err=53 when the passsync user tries to check the password: [29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from [29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES [29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND dn="uid=juankar,ou=xxx" method=128 version=3 [29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 nentries=0 etime=0 [29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND [29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1 [29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND Any hints? Could be a problem with certificates? They're both using the same CA (windows CA Cert serv is installed in one of the DCs) Regards! -- 389-users mailing list 389-users@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org -- 389-users mailing list 389-users@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
[389-users] Strange behaviour password sync , windows 2012 r2
Hi, 389ds'ers, I have two 2012 r2 domain controllers with passsync 1.6 x64 installed. They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're working flawlessly. I dont know if it's been a software update or a change in the domain settings. Thing is today, one of the controllers has stopped sync'ing. Whenever I change one password in that controller, the following message is logged in passsync.log: 08/29/16 11:30:07: Password list has 1 entries 08/29/16 11:30:07: Attempting to sync password for juankar 08/29/16 11:30:07: Searching for (ntuserdomainid=juankar) 08/29/16 11:30:07: Checking password failed for remote entry: uid=juankar,ou=xxx 08/29/16 11:30:07: Deferring password change for juankar and in the server access log I get ldap bind err=53 when the passsync user tries to check the password: [29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from [29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES [29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND dn="uid=juankar,ou=xxx" method=128 version=3 [29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 nentries=0 etime=0 [29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND [29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1 [29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND Any hints? Could be a problem with certificates? They're both using the same CA (windows CA Cert serv is installed in one of the DCs) Regards! -- 389-users mailing list 389-users@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org