Any ideas on this issue?
2016-09-02 9:47 GMT+02:00 Juan Carlos Camargo juancarlos@eprinsa.es:
I've been troubleshooting this issue. Reinstalled password sync, certificates , verified those certificates. And the sync started working, the sync user was able to check the remote password. Today, again, it's back: Binding with the user returns error 53 :(
09/02/16 09:32:12: Attempting to sync password for juankar 09/02/16 09:32:12: Searching for (ntuserdomainid=juankar) 09/02/16 09:32:12: Checking password failed for remote entry: uid=juankar,ou=xxxxx 09/02/16 09:32:12: Deferring password change for juankar
and the ldap server is responding with error 53:
[02/Sep/2016:09:32:12 +0200] conn=36 op=0 BIND dn="uid=juankar,xxxxxxx" method=128 version=3 [02/Sep/2016:09:32:12 +0200] conn=36 op=0 RESULT err=53 tag=97 nentries=0 etime=0
With ldp , from the affected windows 2012 server and connecting to the involved ldap server, using ssl I get no errors at all:
res = ldap_simple_bind_s(ld, 'uid=juankar,xxxxxx', <unavailable>); // v.3 Authenticated as: 'uid=juankar,ou=sistemas,ou=ep rinsa,ou=usuarios,dc=metaeprinsa,dc=org'.
Going crazy.
2016-08-30 8:44 GMT+02:00 Juan Carlos Camargo juancarlos@eprinsa.es:
Thank you both for your answers. Sorry I should've included more lines in my log. Bindings with the passSync user are ok. But after that, the system tries to bind with the user whose password is being changed and that's when it fails:
This is what happens when user jmml01 changes his password in Windows and he was connected to the failing controller:
Windows:
08/30/16 08:28:56: Attempting to sync password for jmml01 08/30/16 08:28:56: Searching for (ntuserdomainid=jmml01) 08/30/16 08:28:56: Checking password failed for remote entry: uid=jmml01,ou=xxxxxxx 08/30/16 08:28:56: Deferring password change for jmml01 08/30/16 08:28:56: Backing off for 4096000ms
389ds:
[30/Aug/2016:08:28:56 +0200] conn=262 fd=66 slot=66 SSL connection from A.B.C.D to A1.B1.C1.D1 [30/Aug/2016:08:28:56 +0200] conn=262 TLS1.2 256-bit AES [30/Aug/2016:08:28:56 +0200] conn=262 op=0 BIND dn="uid=winsync,ou=xxxxxx" method=128 version=3 [30/Aug/2016:08:28:56 +0200] conn=262 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=winsync,ou=xxxxx" [30/Aug/2016:08:28:56 +0200] conn=262 op=1 SRCH base="ou=usuarios,ou=xxx" scope=2 filter="(ntUserDomainId=jmml01)" attrs=ALL [30/Aug/2016:08:28:56 +0200] conn=262 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [30/Aug/2016:08:28:56 +0200] conn=263 fd=67 slot=67 SSL connection from A.B.C.D to A1.B1.C1.D1 [30/Aug/2016:08:28:56 +0200] conn=263 TLS1.2 256-bit AES [30/Aug/2016:08:28:56 +0200] conn=263 op=0 BIND dn="uid=jmml01,ou=xxxxx" method=128 version=3 [30/Aug/2016:08:28:56 +0200] conn=263 op=0 RESULT err=53 tag=97 nentries=0 etime=0 [30/Aug/2016:08:28:56 +0200] conn=263 op=1 UNBIND
However if the user was connected on the other controller, the password will be successfully changed. I also believe it's a certificate problem , I'm going to review my config on that side.
Regards!
2016-08-29 20:24 GMT+02:00 Noriko Hosoi nhosoi@redhat.com:
On 08/29/2016 02:48 AM, Juan Carlos Camargo wrote:
Hi, 389ds'ers,
I have two 2012 r2 domain controllers with passsync 1.6 x64 installed. They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're working flawlessly. I dont know if it's been a software update or a change in the domain settings. Thing is today, one of the controllers has stopped sync'ing.
Could there be a certificate issue? Did you have any chance to check the cert with the tool certutil?
Also, if you could try binding as the user "uid=juankar,ou=xxx...." using an ldap command over SSL, you may be able to get more info, e.g., returned from the server.
Thanks.
Whenever I change one password in that controller, the following message is logged in passsync.log:
08/29/16 11:30:07: Password list has 1 entries 08/29/16 11:30:07: Attempting to sync password for juankar 08/29/16 11:30:07: Searching for (ntuserdomainid=juankar) 08/29/16 11:30:07: Checking password failed for remote entry: uid=juankar,ou=xxx.... 08/29/16 11:30:07: Deferring password change for juankar
and in the server access log I get ldap bind err=53 when the passsync user tries to check the password:
[29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from xxxx [29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES [29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND dn="uid=juankar,ou=xxx...." method=128 version=3 [29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 nentries=0 etime=0 [29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND [29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1 [29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND
Any hints? Could be a problem with certificates? They're both using the same CA (windows CA Cert serv is installed in one of the DCs) Regards!
-- 389-users mailing list389-users@lists.fedoraproject.orghttps://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.or...
-- 389-users mailing list 389-users@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/389-users@lists. fedoraproject.org