Something more:

On FreeIPA side there are built these errors too:


[15/Mar/2012:10:02:02 +0100] encrypt_encode_key - [file ipapwd_encoding.c,
line 451]: krb5_c_string_to_key failed [Invalid argument]

[15/Mar/2012:10:02:02 +0100] ipapwd_gen_hashes - [file ipapwd_encoding.c,
line 776]: key encryption/encoding failed



Von: Bennet Lingner [] 
Gesendet: Donnerstag, 15. März 2012 10:34
An: ''
Betreff: AW: Windows Password Synchronization Error




Thank you for your reply.


Version of freeipa and 389 packages: 

Freeipa server, python, admintools, client, server-selinux all in

389-ds-base- + libs


Platform is Fedora 16 3.2.9-2.fc16.i686.PAE on AMD Opteron CPU

Ldapmodify and ipa passwd are working perfectly, I’ve changed password in
this ways and passwords were synchronized.


So I conclude the problem is specific to AD Passsync?

If it is so, do I have the possibility on AD side too to set or try


Best regards.


Bennet Lingner



Von: Rich Megginson [] 
Gesendet: Mittwoch, 14. März 2012 16:31
An: Bennet Lingner
Betreff: Re: Windows Password Synchronization Error


On 03/14/2012 06:29 AM, Bennet Lingner wrote: 

Dear Mr. Megginson,


I’ve seen in www, that you are very involved in 389 directory server, that’s
why I decided to send this mail to you.

I hope you can help me.


I’m running a WIN2K8 R2 64 bit and a fedora Linux 32 bit with freeipa.

In the future, please use the email list.  Please
also include the versions of your freeipa and 389 packages:
rpm -qa|grep freeipa
rpm -qa|grep 389

There is a win sync agreement, which works very well, even the passwords are


The only problem is that:

If I set a new password on windows side with more than 2 special characters,
e.g. ‘!Mäusel 10’ or ‘!Rüdiger 20’

Then I get the passsync error:


03/14/12 12:26:13: Ldap error in ModifyPassword

         1: Operations error

03/14/12 12:26:13: Modify Password failed for remote entry: uid=…

03/14/12 12:26:13: Deferring password change for …


Do you have any idea, if that could be or something else, what can I do? 

What is your 389-ds-base version and platform?
Can you use ldapmodify to change the user password to one of the above
values?  Can you use ipa-passwd?  That is, is the problem specific to AD
PassSync, or is it a problem with these types of passwords in general?  


Best regards.


Mit freundlichen Grüßen


Bennet Lingner

Hochschule Anhalt - ZIK

Tel. +49 (0) 3496 67-5420

Fax +49 (0) 3496 67-95420

Bernburger Straße 55

06366 Köthen (Anhalt)

Hochschule Anhalt (FH) * Bernburger Straße 55 * D 06366 Köthen
Präsident Prof. Dr. Dr. h.c. Dieter Orzessek * Tel.: +49 (0) 3496 67 1000 *
Fax +49 (0) 3496 67 1099
Betriebsnummer 030 77 111 * Umsatzsteuernummer DE 8140 92 585
Zuständige Aufsichtsbehörde Kultusministerium des Landes Sachsen-Anhalt, PF
3765, 39012 Magdeburg



Attachment: smime.p7s
Description: S/MIME cryptographic signature

Freeipa-users mailing list

Reply via email to