[389-users] Re: Strange behaviour password sync , windows 2012 r2
Any ideas on this issue? 2016-09-02 9:47 GMT+02:00 Juan Carlos Camargo : > I've been troubleshooting this issue. > Reinstalled password sync, certificates , verified those certificates. And > the sync started working, the sync user was able to check the remote > password. > Today, again, it's back: Binding with the user returns error 53 :( > > 09/02/16 09:32:12: Attempting to sync password for juankar > 09/02/16 09:32:12: Searching for (ntuserdomainid=juankar) > 09/02/16 09:32:12: Checking password failed for remote entry: > uid=juankar,ou=x > 09/02/16 09:32:12: Deferring password change for juankar > > and the ldap server is responding with error 53: > > [02/Sep/2016:09:32:12 +0200] conn=36 op=0 BIND dn="uid=juankar,xxx" > method=128 version=3 > [02/Sep/2016:09:32:12 +0200] conn=36 op=0 RESULT err=53 tag=97 nentries=0 > etime=0 > > With ldp , from the affected windows 2012 server and connecting to the > involved ldap server, using ssl I get no errors at all: > > res = ldap_simple_bind_s(ld, 'uid=juankar,xx', ); // v.3 > Authenticated as: 'uid=juankar,ou=sistemas,ou=ep > rinsa,ou=usuarios,dc=metaeprinsa,dc=org'. > > Going crazy. > > > > > > > > > 2016-08-30 8:44 GMT+02:00 Juan Carlos Camargo : > >> Thank you both for your answers. >> Sorry I should've included more lines in my log. >> Bindings with the passSync user are ok. But after that, the system tries >> to bind with the user whose password is being changed and that's when it >> fails: >> >> This is what happens when user jmml01 changes his password in Windows and >> he was connected to the failing controller: >> >> Windows: >> >> 08/30/16 08:28:56: Attempting to sync password for jmml01 >> 08/30/16 08:28:56: Searching for (ntuserdomainid=jmml01) >> 08/30/16 08:28:56: Checking password failed for remote entry: >> uid=jmml01,ou=xxx >> 08/30/16 08:28:56: Deferring password change for jmml01 >> 08/30/16 08:28:56: Backing off for 4096000ms >> >> 389ds: >> >> [30/Aug/2016:08:28:56 +0200] conn=262 fd=66 slot=66 SSL connection from >> A.B.C.D to A1.B1.C1.D1 >> [30/Aug/2016:08:28:56 +0200] conn=262 TLS1.2 256-bit AES >> [30/Aug/2016:08:28:56 +0200] conn=262 op=0 BIND >> dn="uid=winsync,ou=xx" method=128 version=3 >> [30/Aug/2016:08:28:56 +0200] conn=262 op=0 RESULT err=0 tag=97 nentries=0 >> etime=0 dn="uid=winsync,ou=x" >> [30/Aug/2016:08:28:56 +0200] conn=262 op=1 SRCH base="ou=usuarios,ou=xxx" >> scope=2 filter="(ntUserDomainId=jmml01)" attrs=ALL >> [30/Aug/2016:08:28:56 +0200] conn=262 op=1 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [30/Aug/2016:08:28:56 +0200] conn=263 fd=67 slot=67 SSL connection from >> A.B.C.D to A1.B1.C1.D1 >> [30/Aug/2016:08:28:56 +0200] conn=263 TLS1.2 256-bit AES >> [30/Aug/2016:08:28:56 +0200] conn=263 op=0 BIND dn="uid=jmml01,ou=x" >> method=128 version=3 >> [30/Aug/2016:08:28:56 +0200] conn=263 op=0 RESULT err=53 tag=97 >> nentries=0 etime=0 >> [30/Aug/2016:08:28:56 +0200] conn=263 op=1 UNBIND >> >> However if the user was connected on the other controller, the password >> will be successfully changed. I also believe it's a certificate problem , >> I'm going to review my config on that side. >> >> Regards! >> >> >> >> >> >> >> >> >> >> >> 2016-08-29 20:24 GMT+02:00 Noriko Hosoi : >> >>> On 08/29/2016 02:48 AM, Juan Carlos Camargo wrote: >>> >>> Hi, 389ds'ers, >>> >>> I have two 2012 r2 domain controllers with passsync 1.6 x64 installed. >>> They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're >>> working flawlessly. >>> I dont know if it's been a software update or a change in the domain >>> settings. Thing is today, one of the controllers has stopped sync'ing. >>> >>> Could there be a certificate issue? Did you have any chance to check >>> the cert with the tool certutil? >>> >>> Also, if you could try binding as the user "uid=juankar,ou=xxx" >>> using an ldap command over SSL, you may be able to get more info, e.g., >>> returned from the server. >>> >>> Thanks. >>> >>> Whenever I change one password in that controller, the following message >>> is logged in passsync.log: >>> >>> 08/29/16 11:30:07: Password list has 1 entries >>> 08/29/16 11:30:07: Attempting to sync password for juankar >>> 08/29/16 11:30:07: Searching for (ntuserdomainid=juankar) >>> 08/29/16 11:30:07: Checking password failed for remote entry: >>> uid=juankar,ou=xxx >>> 08/29/16 11:30:07: Deferring password change for juankar >>> >>> and in the server access log I get ldap bind err=53 when the passsync >>> user tries to check the password: >>> >>> [29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from >>> >>> [29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES >>> [29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND >>> dn="uid=juankar,ou=xxx" method=128 version=3 >>> [29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 >>> nentries=0 etime=0 >>> [29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND >>> [29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1
[389-users] Re: Strange behaviour password sync , windows 2012 r2
I've been troubleshooting this issue. Reinstalled password sync, certificates , verified those certificates. And the sync started working, the sync user was able to check the remote password. Today, again, it's back: Binding with the user returns error 53 :( 09/02/16 09:32:12: Attempting to sync password for juankar 09/02/16 09:32:12: Searching for (ntuserdomainid=juankar) 09/02/16 09:32:12: Checking password failed for remote entry: uid=juankar,ou=x 09/02/16 09:32:12: Deferring password change for juankar and the ldap server is responding with error 53: [02/Sep/2016:09:32:12 +0200] conn=36 op=0 BIND dn="uid=juankar,xxx" method=128 version=3 [02/Sep/2016:09:32:12 +0200] conn=36 op=0 RESULT err=53 tag=97 nentries=0 etime=0 With ldp , from the affected windows 2012 server and connecting to the involved ldap server, using ssl I get no errors at all: res = ldap_simple_bind_s(ld, 'uid=juankar,xx', ); // v.3 Authenticated as: 'uid=juankar,ou=sistemas,ou=eprinsa,ou=usuarios,dc= metaeprinsa,dc=org'. Going crazy. 2016-08-30 8:44 GMT+02:00 Juan Carlos Camargo : > Thank you both for your answers. > Sorry I should've included more lines in my log. > Bindings with the passSync user are ok. But after that, the system tries > to bind with the user whose password is being changed and that's when it > fails: > > This is what happens when user jmml01 changes his password in Windows and > he was connected to the failing controller: > > Windows: > > 08/30/16 08:28:56: Attempting to sync password for jmml01 > 08/30/16 08:28:56: Searching for (ntuserdomainid=jmml01) > 08/30/16 08:28:56: Checking password failed for remote entry: > uid=jmml01,ou=xxx > 08/30/16 08:28:56: Deferring password change for jmml01 > 08/30/16 08:28:56: Backing off for 4096000ms > > 389ds: > > [30/Aug/2016:08:28:56 +0200] conn=262 fd=66 slot=66 SSL connection from > A.B.C.D to A1.B1.C1.D1 > [30/Aug/2016:08:28:56 +0200] conn=262 TLS1.2 256-bit AES > [30/Aug/2016:08:28:56 +0200] conn=262 op=0 BIND dn="uid=winsync,ou=xx" > method=128 version=3 > [30/Aug/2016:08:28:56 +0200] conn=262 op=0 RESULT err=0 tag=97 nentries=0 > etime=0 dn="uid=winsync,ou=x" > [30/Aug/2016:08:28:56 +0200] conn=262 op=1 SRCH base="ou=usuarios,ou=xxx" > scope=2 filter="(ntUserDomainId=jmml01)" attrs=ALL > [30/Aug/2016:08:28:56 +0200] conn=262 op=1 RESULT err=0 tag=101 nentries=1 > etime=0 > [30/Aug/2016:08:28:56 +0200] conn=263 fd=67 slot=67 SSL connection from > A.B.C.D to A1.B1.C1.D1 > [30/Aug/2016:08:28:56 +0200] conn=263 TLS1.2 256-bit AES > [30/Aug/2016:08:28:56 +0200] conn=263 op=0 BIND dn="uid=jmml01,ou=x" > method=128 version=3 > [30/Aug/2016:08:28:56 +0200] conn=263 op=0 RESULT err=53 tag=97 nentries=0 > etime=0 > [30/Aug/2016:08:28:56 +0200] conn=263 op=1 UNBIND > > However if the user was connected on the other controller, the password > will be successfully changed. I also believe it's a certificate problem , > I'm going to review my config on that side. > > Regards! > > > > > > > > > > > 2016-08-29 20:24 GMT+02:00 Noriko Hosoi : > >> On 08/29/2016 02:48 AM, Juan Carlos Camargo wrote: >> >> Hi, 389ds'ers, >> >> I have two 2012 r2 domain controllers with passsync 1.6 x64 installed. >> They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're >> working flawlessly. >> I dont know if it's been a software update or a change in the domain >> settings. Thing is today, one of the controllers has stopped sync'ing. >> >> Could there be a certificate issue? Did you have any chance to check the >> cert with the tool certutil? >> >> Also, if you could try binding as the user "uid=juankar,ou=xxx" using >> an ldap command over SSL, you may be able to get more info, e.g., returned >> from the server. >> >> Thanks. >> >> Whenever I change one password in that controller, the following message >> is logged in passsync.log: >> >> 08/29/16 11:30:07: Password list has 1 entries >> 08/29/16 11:30:07: Attempting to sync password for juankar >> 08/29/16 11:30:07: Searching for (ntuserdomainid=juankar) >> 08/29/16 11:30:07: Checking password failed for remote entry: >> uid=juankar,ou=xxx >> 08/29/16 11:30:07: Deferring password change for juankar >> >> and in the server access log I get ldap bind err=53 when the passsync >> user tries to check the password: >> >> [29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from >> >> [29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES >> [29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND >> dn="uid=juankar,ou=xxx" method=128 version=3 >> [29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 >> nentries=0 etime=0 >> [29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND >> [29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1 >> [29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND >> >> Any hints? Could be a problem with certificates? They're both using the >> same CA (windows CA Cert serv is installed in one of the DCs) >> Regards! >> >> >> >> >> >> >> >> >> --
[389-users] Re: Strange behaviour password sync , windows 2012 r2
Thank you both for your answers. Sorry I should've included more lines in my log. Bindings with the passSync user are ok. But after that, the system tries to bind with the user whose password is being changed and that's when it fails: This is what happens when user jmml01 changes his password in Windows and he was connected to the failing controller: Windows: 08/30/16 08:28:56: Attempting to sync password for jmml01 08/30/16 08:28:56: Searching for (ntuserdomainid=jmml01) 08/30/16 08:28:56: Checking password failed for remote entry: uid=jmml01,ou=xxx 08/30/16 08:28:56: Deferring password change for jmml01 08/30/16 08:28:56: Backing off for 4096000ms 389ds: [30/Aug/2016:08:28:56 +0200] conn=262 fd=66 slot=66 SSL connection from A.B.C.D to A1.B1.C1.D1 [30/Aug/2016:08:28:56 +0200] conn=262 TLS1.2 256-bit AES [30/Aug/2016:08:28:56 +0200] conn=262 op=0 BIND dn="uid=winsync,ou=xx" method=128 version=3 [30/Aug/2016:08:28:56 +0200] conn=262 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=winsync,ou=x" [30/Aug/2016:08:28:56 +0200] conn=262 op=1 SRCH base="ou=usuarios,ou=xxx" scope=2 filter="(ntUserDomainId=jmml01)" attrs=ALL [30/Aug/2016:08:28:56 +0200] conn=262 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [30/Aug/2016:08:28:56 +0200] conn=263 fd=67 slot=67 SSL connection from A.B.C.D to A1.B1.C1.D1 [30/Aug/2016:08:28:56 +0200] conn=263 TLS1.2 256-bit AES [30/Aug/2016:08:28:56 +0200] conn=263 op=0 BIND dn="uid=jmml01,ou=x" method=128 version=3 [30/Aug/2016:08:28:56 +0200] conn=263 op=0 RESULT err=53 tag=97 nentries=0 etime=0 [30/Aug/2016:08:28:56 +0200] conn=263 op=1 UNBIND However if the user was connected on the other controller, the password will be successfully changed. I also believe it's a certificate problem , I'm going to review my config on that side. Regards! 2016-08-29 20:24 GMT+02:00 Noriko Hosoi : > On 08/29/2016 02:48 AM, Juan Carlos Camargo wrote: > > Hi, 389ds'ers, > > I have two 2012 r2 domain controllers with passsync 1.6 x64 installed. > They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're > working flawlessly. > I dont know if it's been a software update or a change in the domain > settings. Thing is today, one of the controllers has stopped sync'ing. > > Could there be a certificate issue? Did you have any chance to check the > cert with the tool certutil? > > Also, if you could try binding as the user "uid=juankar,ou=xxx" using > an ldap command over SSL, you may be able to get more info, e.g., returned > from the server. > > Thanks. > > Whenever I change one password in that controller, the following message > is logged in passsync.log: > > 08/29/16 11:30:07: Password list has 1 entries > 08/29/16 11:30:07: Attempting to sync password for juankar > 08/29/16 11:30:07: Searching for (ntuserdomainid=juankar) > 08/29/16 11:30:07: Checking password failed for remote entry: > uid=juankar,ou=xxx > 08/29/16 11:30:07: Deferring password change for juankar > > and in the server access log I get ldap bind err=53 when the passsync user > tries to check the password: > > [29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from > > [29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES > [29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND > dn="uid=juankar,ou=xxx" method=128 version=3 > [29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 nentries=0 > etime=0 > [29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND > [29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1 > [29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND > > Any hints? Could be a problem with certificates? They're both using the > same CA (windows CA Cert serv is installed in one of the DCs) > Regards! > > > > > > > > > -- > 389-users mailing > list389-users@lists.fedoraproject.orghttps://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org > > > > -- > 389-users mailing list > 389-users@lists.fedoraproject.org > https://lists.fedoraproject.org/admin/lists/389-users@ > lists.fedoraproject.org > > -- 389-users mailing list 389-users@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
[389-users] Re: Strange behaviour password sync , windows 2012 r2
Hello On Mon, Aug 29, 2016 at 3:18 PM, Juan Carlos Camargo wrote: > Hi, 389ds'ers, > > I have two 2012 r2 domain controllers with passsync 1.6 x64 installed. > They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're > working flawlessly. > I dont know if it's been a software update or a change in the domain > settings. Thing is today, one of the controllers has stopped sync'ing. > Whenever I change one password in that controller, the following message is > logged in passsync.log: > > 08/29/16 11:30:07: Password list has 1 entries > 08/29/16 11:30:07: Attempting to sync password for juankar > 08/29/16 11:30:07: Searching for (ntuserdomainid=juankar) > 08/29/16 11:30:07: Checking password failed for remote entry: > uid=juankar,ou=xxx > 08/29/16 11:30:07: Deferring password change for juankar > > and in the server access log I get ldap bind err=53 when the passsync user > tries to check the password: > > [29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from > > [29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES > [29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND > dn="uid=juankar,ou=xxx" method=128 version=3 > [29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 nentries=0 > etime=0 > [29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND > It looks like BIND failed for that user, Can you use ldp.exe in windows to connect to RHDS server & check. Run ldp.exe Connection > Connect Enter the rhds server hostname in the server field Enter port 636 in the port field Check the SSL box Click OK Connection > Bind Select the 'simple bind' radio button Enter the DN uid=juankar,ou=xxx Enter the password for the passsync account in the password field Click OK > [29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1 > [29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND > > Any hints? Could be a problem with certificates? They're both using the > same CA (windows CA Cert serv is installed in one of the DCs) > Regards! > > > > > > > > -- > 389-users mailing list > 389-users@lists.fedoraproject.org > https://lists.fedoraproject.org/admin/lists/389-users@ > lists.fedoraproject.org > > -- Thanks & Regards Arpit Tolani -- 389-users mailing list 389-users@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
[389-users] Re: Strange behaviour password sync , windows 2012 r2
On 08/29/2016 02:48 AM, Juan Carlos Camargo wrote: Hi, 389ds'ers, I have two 2012 r2 domain controllers with passsync 1.6 x64 installed. They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're working flawlessly. I dont know if it's been a software update or a change in the domain settings. Thing is today, one of the controllers has stopped sync'ing. Could there be a certificate issue? Did you have any chance to check the cert with the tool certutil? Also, if you could try binding as the user "uid=juankar,ou=xxx" using an ldap command over SSL, you may be able to get more info, e.g., returned from the server. Thanks. Whenever I change one password in that controller, the following message is logged in passsync.log: 08/29/16 11:30:07: Password list has 1 entries 08/29/16 11:30:07: Attempting to sync password for juankar 08/29/16 11:30:07: Searching for (ntuserdomainid=juankar) 08/29/16 11:30:07: Checking password failed for remote entry: uid=juankar,ou=xxx 08/29/16 11:30:07: Deferring password change for juankar and in the server access log I get ldap bind err=53 when the passsync user tries to check the password: [29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from [29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES [29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND dn="uid=juankar,ou=xxx" method=128 version=3 [29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 nentries=0 etime=0 [29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND [29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1 [29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND Any hints? Could be a problem with certificates? They're both using the same CA (windows CA Cert serv is installed in one of the DCs) Regards! -- 389-users mailing list 389-users@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org -- 389-users mailing list 389-users@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org