On ke, 18 huhti 2018, Miguel Angel Coa M. wrote:
Hello Alexander,This is one of limitations of the approach with syncing passwords as you
Thanks for you clarification, the problem was: The user change password in
the personal computer but this action hit in other domain controller
(balancing) not necessarily where the passsync program is installed so some
user hit to AD (with passsync and sync ok) but other user hit to AD2
(without passsync
and not sync) . I will install the passsync inside AD2 and will try.
have to install a passsync on all DCs. The same applies to any other
tools which rely on password quality checks interface in Windows to
intercept the passwords as once password is changed, other DCs will see
only password hashes and not the plain text anymore.
Thanks.
Saludos.
---
Miguel Coa M.
2018-04-18 4:03 GMT-03:00 Alexander Bokovoy <abokovoy@redhat.com>:
On ti, 17 huhti 2018, Miguel Angel Coa M. via FreeIPA-users wrote:
Hello Guy's,For the second user a login failure is expected because it has no
I have IPA server 4.5, conected to Windows AD the user replication is ok,
but i have strange problem with password sync some user synchronize
password without problem but other user account not password synchronize
User ok (can successfully log in)
[....................]
User login: pruebas.sistemas
First name: Pruebas
Last name: Sistemas
Home directory: /home/pruebas.sistemas
Login shell: /bin/bash
Principal alias: pruebas.sistemas@EXAMPLE.COM
Email address: pruebas.sistemas@example.com
UID: 494205252
GID: 494205252
Account disabled: False
Password: True
Kerberos keys available: True
[....................]
Log ssh auth
[....................]
Apr 17 16:45:03 odi-scan sshd[26044]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.191.3.30
user=pruebas.sistemas
Apr 17 16:45:05 odi-scan sshd[26041]: Accepted keyboard-interactive/pam
for
pruebas.sistemas from 10.191.3.30 port 64603 ssh2
Apr 17 16:45:05 odi-scan sshd[26041]: pam_unix(sshd:session): session
opened for user pruebas.sistemas by (uid=0)
Apr 17 16:45:19 odi-scan sshd[26041]: pam_unix(sshd:session): session
closed for user pruebas.sistemas
[....................]
User error (can't ssh log in)
[....................]
User login: rodrigo.gutierrez
First name: Rodrigo Antonio
Last name: Gutiérrez Torres
Home directory: /home/rodrigo.gutierrez
Login shell: /bin/bash
Principal alias: rodrigo.gutierrez@EXAMPLE.COM
Email address: rodrigo.gutierrez@example.com
UID: 494206316
GID: 494206316
Telephone Number: +15013
Job Title: Ingeniero en Sistemas
Account disabled: False
Password: False
Member of groups: admins
Member of Sudo rule: admin-log
Kerberos keys available: False
[....................]
Error to server client:
[....................]
Apr 17 17:06:54 odi-scan sshd[27243]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.191.3.30
user=rodrigo.gutierrez
Apr 17 17:06:54 odi-scan sshd[27243]: pam_sss(sshd:auth): received for
user
rodrigo.gutierrez: 17 (Failure setting user credentials)
[....................]
Two ssh connection is against the same server .
password set on the account.
I guess you'd need to look into passsync logs to understand whether
there is a failure in synchronization of the password on a password
change in AD. Typical issues might be:
- you haven't installed passsync plugin on all DCs and user used a
different DC to do a password change where there is no passsync
plugin so the password is not intercepted for a sync
- user did never change a password since establishing a sync procedure.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland