Bennet Lingner wrote:
Something more:

On FreeIPA side there are built these errors too:

[15/Mar/2012:10:02:02 +0100] encrypt_encode_key - [file
ipapwd_encoding.c, line 451]: krb5_c_string_to_key failed [Invalid argument]

[15/Mar/2012:10:02:02 +0100] ipapwd_gen_hashes - [file
ipapwd_encoding.c, line 776]: key encryption/encoding failed

It is failing trying to create a Kerberos key out of the password. I'm not sure why at the moment, that is a very strange message coming out of the krb5 libs.


*Von:*Bennet Lingner []
*Gesendet:* Donnerstag, 15. März 2012 10:34
*An:* ''
*Betreff:* AW: Windows Password Synchronization Error


Thank you for your reply.

Version of freeipa and 389 packages:

Freeipa server, python, admintools, client, server-selinux all in

389-ds-base- + libs

Platform is Fedora 16 3.2.9-2.fc16.i686.PAE on AMD Opteron CPU

Ldapmodify and ipa passwd are working perfectly, I’ve changed password
in this ways and passwords were synchronized.

So I conclude the problem is specific to AD Passsync?

If it is so, do I have the possibility on AD side too to set or try

Best regards.

Bennet Lingner

*Von:*Rich Megginson []
*Gesendet:* Mittwoch, 14. März 2012 16:31
*An:* Bennet Lingner
*Betreff:* Re: Windows Password Synchronization Error

On 03/14/2012 06:29 AM, Bennet Lingner wrote:

Dear Mr. Megginson,

I’ve seen in www, that you are very involved in 389 directory server,
that’s why I decided to send this mail to you.

I hope you can help me.

    I’m running a WIN2K8 R2 64 bit and a fedora Linux 32 bit with freeipa.

In the future, please use the
<> email list. Please also include the
versions of your freeipa and 389 packages:
rpm -qa|grep freeipa
rpm -qa|grep 389

There is a win sync agreement, which works very well, even the passwords
are synchronized.

The only problem is that:

If I set a new password on windows side with more than 2 special
characters, e.g. ‘!Mäusel 10’ or ‘!Rüdiger 20’

Then I get the passsync error:

03/14/12 12:26:13: Ldap error in ModifyPassword

1: Operations error

03/14/12 12:26:13: Modify Password failed for remote entry: uid=…

03/14/12 12:26:13: Deferring password change for …

Do you have any idea, if that could be or something else, what can I do?

What is your 389-ds-base version and platform?
Can you use ldapmodify to change the user password to one of the above
values? Can you use ipa-passwd? That is, is the problem specific to AD
PassSync, or is it a problem with these types of passwords in general?

Best regards.

Mit freundlichen Grüßen

Bennet Lingner

*Hochschule Anhalt *- ZIK <>

Tel. +49 (0) 3496 67-5420

Fax +49 (0) 3496 67-95420

Bernburger Straße 55

06366 Köthen (Anhalt)

Hochschule Anhalt (FH) * Bernburger Straße 55 * D 06366 Köthen
Präsident Prof. Dr. Dr. h.c. Dieter Orzessek * Tel.: +49 (0) 3496 67
1000 * Fax +49 (0) 3496 67 1099
Betriebsnummer 030 77 111 * Umsatzsteuernummer DE 8140 92 585
Zuständige Aufsichtsbehörde Kultusministerium des Landes Sachsen-Anhalt,
PF 3765, 39012 Magdeburg

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to