Sorry for the noise, I did some backtracking in the mailing list
archives and found a conversation from December 2015 regarding the same
issue with a nice bugzilla attached
https://bugzilla.redhat.com/show_bug.cgi?id=1287092, I'll try to work
around the issue with group nesting.
/andreas
On 04/12/2016 02:41 PM, Andreas Calminder wrote:
Hello,
I've got a pretty strange problem with FreeIPA 4.2.0-15.el7 running on
a rhel 7.2 and wondering if anyone can shed some light on it. I've
setup a winsync agreement and it seems to be working fine, stuff gets
synced from the AD to IPA. I've also got the PassSync application
installed on all windows domain controllers and it's behaving a bit
unexpected. It would seem that password changes, initiated on the
windows side does not work for my user, however a change for another
user pass just fine.
From the passsync.log from the same Windows DC:
User:
04/08/16 16:29:12: Attempting to sync password for user1
04/08/16 16:29:12: Searching for (ntuserdomainid=user1)
04/08/16 16:29:12: Password modified for remote entry:
uid=user1,cn=users,cn=accounts,dc=linux,dc=se
04/08/16 16:29:12: Removing password change from list
Me:
04/08/16 16:31:45: Searching for (ntuserdomainid=me)
04/08/16 16:31:45: Ldap error in ModifyPassword
50: Insufficient access
04/08/16 16:31:45: Modify password failed for remote entry:
uid=me,cn=users,cn=accounts,dc=linux,dc=se
04/08/16 16:31:45: Deferring password change for me
04/08/16 16:31:45: Backing off for 2000ms
Are there different permissions per user or do the passsync user on
the IPA side need to update it's permissions (the user me is an IPA
administrator)?
I'm currently running an older ipa version 3.0.0-37.el6 against the
same DC's, same passync user and password where this works. It also
works fine in my test environment (4.2.0). Am I missing something
obvious or am I doing something wrong?
Best regards,
Andreas
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project