Thank you both for your answers.
Sorry I should've included more lines in my log.
Bindings with the passSync user are ok. But after that, the system tries to
bind with the user whose password is being changed and that's when it fails:
This is what happens when user jmml01 changes his password in Windows and
he was connected to the failing controller:
Windows:
08/30/16 08:28:56: Attempting to sync password for jmml01
08/30/16 08:28:56: Searching for (ntuserdomainid=jmml01)
08/30/16 08:28:56: Checking password failed for remote entry:
uid=jmml01,ou=xxxxxxx
08/30/16 08:28:56: Deferring password change for jmml01
08/30/16 08:28:56: Backing off for 4096000ms
389ds:
[30/Aug/2016:08:28:56 +0200] conn=262 fd=66 slot=66 SSL connection from
A.B.C.D to A1.B1.C1.D1
[30/Aug/2016:08:28:56 +0200] conn=262 TLS1.2 256-bit AES
[30/Aug/2016:08:28:56 +0200] conn=262 op=0 BIND dn="uid=winsync,ou=xxxxxx"
method=128 version=3
[30/Aug/2016:08:28:56 +0200] conn=262 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=winsync,ou=xxxxx"
[30/Aug/2016:08:28:56 +0200] conn=262 op=1 SRCH base="ou=usuarios,ou=xxx"
scope=2 filter="(ntUserDomainId=jmml01)" attrs=ALL
[30/Aug/2016:08:28:56 +0200] conn=262 op=1 RESULT err=0 tag=101 nentries=1
etime=0
[30/Aug/2016:08:28:56 +0200] conn=263 fd=67 slot=67 SSL connection from
A.B.C.D to A1.B1.C1.D1
[30/Aug/2016:08:28:56 +0200] conn=263 TLS1.2 256-bit AES
[30/Aug/2016:08:28:56 +0200] conn=263 op=0 BIND dn="uid=jmml01,ou=xxxxx"
method=128 version=3
[30/Aug/2016:08:28:56 +0200] conn=263 op=0 RESULT err=53 tag=97 nentries=0
etime=0
[30/Aug/2016:08:28:56 +0200] conn=263 op=1 UNBIND
However if the user was connected on the other controller, the password
will be successfully changed. I also believe it's a certificate problem ,
I'm going to review my config on that side.
Regards!
2016-08-29 20:24 GMT+02:00 Noriko Hosoi <nhosoi(a)redhat.com>:
On 08/29/2016 02:48 AM, Juan Carlos Camargo wrote:
Hi, 389ds'ers,
I have two 2012 r2 domain controllers with passsync 1.6 x64 installed.
They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're
working flawlessly.
I dont know if it's been a software update or a change in the domain
settings. Thing is today, one of the controllers has stopped sync'ing.
Could there be a certificate issue? Did you have any chance to check the
cert with the tool certutil?
Also, if you could try binding as the user "uid=juankar,ou=xxx...." using
an ldap command over SSL, you may be able to get more info, e.g., returned
from the server.
Thanks.
Whenever I change one password in that controller, the following message
is logged in passsync.log:
08/29/16 11:30:07: Password list has 1 entries
08/29/16 11:30:07: Attempting to sync password for juankar
08/29/16 11:30:07: Searching for (ntuserdomainid=juankar)
08/29/16 11:30:07: Checking password failed for remote entry:
uid=juankar,ou=xxx....
08/29/16 11:30:07: Deferring password change for juankar
and in the server access log I get ldap bind err=53 when the passsync user
tries to check the password:
[29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from
xxxx
[29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES
[29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND
dn="uid=juankar,ou=xxx...." method=128 version=3
[29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 nentries=0
etime=0
[29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND
[29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1
[29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND
Any hints? Could be a problem with certificates? They're both using the
same CA (windows CA Cert serv is installed in one of the DCs)
Regards!
--
389-users mailing
list389-users@lists.fedoraproject.orghttps://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
389-users mailing list
389-users(a)lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-users@
lists.fedoraproject.org