Hello, Gonzalo,

Any progress on your Password Synchronization?

Let me double check a couple of things. You wrote you installed PassSync on Windows 2013 (which could be a typo?) We support Windows Server 2008 R2 and 2012 R2. We also confirmed it works on Windows Server 2003 R2.

On 03/13/2015 12:45 PM,g.fer.or...@unicyber.co.uk  wrote:
I got the Password Sync Tool installed in the Windows2013 box

You can find the doc on PassSync here.


The doc is on PassSync 1.1.5, but 1.1.6 remains intact except the default SSL version to connect to the 389 Directory Server (as we discussed before).

We had a dicussion regarding the PassSync user you had to create:


FreeIPA is supposed to generate a PassSync user by running ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also man ipa-replica-manage)./

there must some problem as FreeIPA
creates own Passsync user in "cn=sysaccounts,cn=etc,<SUFFIX>" also sets it's DN
as passSyncManagersDNs in ipa_pwd_extop plugin to avoid it creating expired
passwords. So there is no need to create
"uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" manually.

Please see the above doc regarding the user creation.

   The username of the system user which Active Directory uses to
   connect to the IdM machine. This account is configured automatically
   when sync is configured on the IdM server. The default account is
   The password set in the |--passsync| option when the sync agreement
   was created.

I'm sending this response to freeipa-users to share the info and request for more suggestions.


On 03/13/2015 02:48 PM, g.fer.or...@unicyber.co.uk wrote:
I forgot to attach the search command now:
# passsync, users, accounts, corp.company.com
dn: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
cn: passsync
displayName: passsync
krbLastFailedAuth: 20150313211546Z
krbLoginFailedCount: 1
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=corp,dc=company,dc=com
krbLastPwdChange: 20150313210836Z
krbPasswordExpiration: 20150611210836Z
mepManagedEntry: cn=passsync,cn=groups,cn=accounts,dc=corp,dc=company,d
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/bash
gecos: pass sync
sn: sync
homeDirectory: /home/passsync
uid: passsync
mail: passs...@corp.company.com
krbPrincipalName: passs...@corp.company.com
givenName: pass
initials: ps
userPassword:: zxxxxxxxx=
ipaUniqueID: 1d76b14a-c9c5-11e4-93f4-12d2e19d1e3c
uidNumber: 1481000829
gidNumber: 1481000829
krbPrincipalKey:: dfrerererer

# search result
search: 2

On 2015-03-13 21:39, g.fer.or...@unicyber.co.uk wrote:

I had to manually create the user!! For some reason I thought the sync
Agreement task was also creating that entry for the DS!

So now I got:

[13/Mar/2015:14:27:30 -0700] conn=66 op=4 SRCH
scope=0 filter="(objectClass=*)" attrs="telephoneNumber uid title
loginShell uidNumber gidNumber sn homeDirectory mail ou givenName
[13/Mar/2015:14:27:30 -0700] conn=66 op=4 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:30 -0700] conn=66 op=5 SRCH
scope=0 filter="(userPassword=*)" attrs="userPassword"
[13/Mar/2015:14:27:30 -0700] conn=66 op=5 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:30 -0700] conn=66 op=6 SRCH
scope=0 filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey"
[13/Mar/2015:14:27:30 -0700] conn=66 op=6 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:30 -0700] conn=66 op=7 SRCH
scope=0 filter="(objectClass=*)" attrs="ipaSshPubKey"
[13/Mar/2015:14:27:30 -0700] conn=66 op=7 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:30 -0700] conn=66 op=8 UNBIND
[13/Mar/2015:14:27:30 -0700] conn=66 op=8 fd=103 closed - U1
[13/Mar/2015:14:27:33 -0700] conn=48 op=20 RESULT err=0 tag=101
nentries=828 etime=90 notes=U
[13/Mar/2015:14:27:33 -0700] conn=48 op=21 ABANDON targetop=NOTFOUND msgid=16
[13/Mar/2015:14:27:33 -0700] conn=48 op=22 SRCH
base="cn=users,cn=accounts,dc=corp,dc=company,dc=com" scope=0
filter="(objectClass=*)" attrs="* aci"
[13/Mar/2015:14:27:33 -0700] conn=48 op=22 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:33 -0700] conn=48 op=23 ABANDON targetop=NOTFOUND msgid=18 [13/Mar/2015:14:27:42 -0700] conn=67 fd=103 slot=103 connection from ::1 to ::1
[13/Mar/2015:14:27:42 -0700] conn=67 op=0 BIND dn="cn=directory
manager" method=128 version=3
[13/Mar/2015:14:27:42 -0700] conn=67 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=directory manager"
[13/Mar/2015:14:27:42 -0700] conn=67 op=1 SRCH
scope=2 filter="(objectClass=*)" attrs=ALL
[13/Mar/2015:14:27:42 -0700] conn=67 op=1 RESULT err=0 tag=101
nentries=1 etime=0 notes=U
[13/Mar/2015:14:27:42 -0700] conn=67 op=2 UNBIND
[13/Mar/2015:14:27:42 -0700] conn=67 op=2 fd=103 closed - U1

And target not found??? what else I might be missing ?


On 2015-03-13 21:01, Noriko Hosoi wrote:
On 03/13/2015 01:49 PM, g.fer.or...@unicyber.co.uk wrote:

Restarted... And I also have re-initiated the replica just in case....

I can see the following:
3/Mar/2015:13:41:35 -0700] conn=34 op=329 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2015:13:41:36 -0700] conn=35 fd=84 slot=84 SSL connection from AD.SERVER to IPA.SERVER
[13/Mar/2015:13:41:36 -0700] conn=35 SSL 128-bit AES
[13/Mar/2015:13:41:36 -0700] conn=35 op=0 BIND dn="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" method=128 version=3 [13/Mar/2015:13:41:36 -0700] conn=35 op=0 RESULT err=32 tag=97 nentries=0 etime=0
Do you have a user
"uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" in your
Directory Server?

On the host/VM where your Direcotry Server is running, please run this
command line search.  Does it return the entry?
ldapsearch -x -h localhost -p 389 -D 'cn=directory manager' -W -b
[13/Mar/2015:13:41:36 -0700] conn=35 op=1 SRCH base="cn=users,cn=accounts,dc=corp,dc=company,dc=com" scope=2 filter="(ntUserDomainId=john.test)" attrs=ALL [13/Mar/2015:13:41:36 -0700] conn=35 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2015:13:41:36 -0700] conn=34 op=330 SRCH base="cn=meTohqdc1.corp.company.com,cn=replica,cn=dc\3Dcorp\2Cdc\3Dcompany\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(objectClass=*)" attrs="nsds5replicaLastInitStart nsds5replicaUpdateInProgress nsds5replicaLastInitStatus cn nsds5BeginReplicaRefresh nsds5replicaLastInitEnd" [13/Mar/2015:13:41:36 -0700] conn=34 op=330 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2015:13:41:36 -0700] conn=36 fd=101 slot=101 SSL connection from AD.SERVER to IPA.SERVER
[13/Mar/2015:13:41:36 -0700] conn=36 SSL 128-bit AES
[13/Mar/2015:13:41:36 -0700] conn=36 op=0 BIND dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com" method=128 version=3 [13/Mar/2015:13:41:36 -0700] conn=36 op=0 RESULT err=48 tag=97 nentries=0 etime=0
[13/Mar/2015:13:41:36 -0700] conn=36 op=1 UNBIND
[13/Mar/2015:13:41:36 -0700] conn=36 op=1 fd=101 closed - U1
[13/Mar/2015:13:41:36 -0700] conn=35 op=2 MOD dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com" [13/Mar/2015:13:41:36 -0700] conn=35 op=2 RESULT err=50 tag=103 nentries=0 etime=0
Since the above bind failed, your PassSync has no right to update the
password on the Directory Server and the modify attempt failed with

[13/Mar/2015:13:41:37 -0700] conn=35 op=3 UNBIND
[13/Mar/2015:13:41:37 -0700] conn=35 op=3 fd=84 closed - U1


Note there are 2 errors there:
dn="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" method=128 version=3 [13/Mar/2015:13:41:36 -0700] conn=35 op=0 RESULT err=32 tag=97 nentries=0 etime=0 dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com" method=128 version=3

 ipa user-show John.Test

  User login: john.test

  First name: John

  Last name: Test

  Home directory: /home/john.test

  Login shell: /bin/bash

  UID: 1481000790

  GID: 1481000790

  Account disabled: False

  Password: False

  Kerberos keys available: False

  the password is still set as False
The PassSync Tool got defined as base search:

cn=users,cn=accounts,dc=corp,dc=company,dc=com .. Which should be all right

Thanks for all your help!

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to