subject:"\[389\-users\] Re\: Strange behaviour password sync , windows 2012 r2"

[389-users] Re: Strange behaviour password sync , windows 2012 r2

2016-09-14 Thread Juan Carlos Camargo

Any ideas on this issue?







2016-09-02 9:47 GMT+02:00 Juan Carlos Camargo :

> I've been troubleshooting this issue.
> Reinstalled password sync, certificates , verified those certificates. And
> the sync started working, the sync user was able to check the remote
> password.
> Today, again, it's back: Binding with the user returns error 53 :(
>
> 09/02/16 09:32:12: Attempting to sync password for juankar
> 09/02/16 09:32:12: Searching for (ntuserdomainid=juankar)
> 09/02/16 09:32:12: Checking password failed for remote entry:
> uid=juankar,ou=x
> 09/02/16 09:32:12: Deferring password change for juankar
>
> and the ldap server is responding with error 53:
>
> [02/Sep/2016:09:32:12 +0200] conn=36 op=0 BIND dn="uid=juankar,xxx"
> method=128 version=3
> [02/Sep/2016:09:32:12 +0200] conn=36 op=0 RESULT err=53 tag=97 nentries=0
> etime=0
>
> With ldp , from the affected windows 2012 server and connecting to the
> involved ldap server, using ssl I get no errors at all:
>
> res = ldap_simple_bind_s(ld, 'uid=juankar,xx', ); // v.3
> Authenticated as: 'uid=juankar,ou=sistemas,ou=ep
> rinsa,ou=usuarios,dc=metaeprinsa,dc=org'.
>
> Going crazy.
>
>
>
>
>
>
>
>
> 2016-08-30 8:44 GMT+02:00 Juan Carlos Camargo :
>
>> Thank you both for your answers.
>> Sorry I should've included more lines in my log.
>> Bindings with the passSync user are ok. But after that, the system tries
>> to bind with the user whose password is being changed and that's when it
>> fails:
>>
>> This is what happens when user jmml01 changes his password in Windows and
>> he was connected to the failing controller:
>>
>> Windows:
>>
>> 08/30/16 08:28:56: Attempting to sync password for jmml01
>> 08/30/16 08:28:56: Searching for (ntuserdomainid=jmml01)
>> 08/30/16 08:28:56: Checking password failed for remote entry:
>> uid=jmml01,ou=xxx
>> 08/30/16 08:28:56: Deferring password change for jmml01
>> 08/30/16 08:28:56: Backing off for 4096000ms
>>
>> 389ds:
>>
>> [30/Aug/2016:08:28:56 +0200] conn=262 fd=66 slot=66 SSL connection from
>> A.B.C.D to A1.B1.C1.D1
>> [30/Aug/2016:08:28:56 +0200] conn=262 TLS1.2 256-bit AES
>> [30/Aug/2016:08:28:56 +0200] conn=262 op=0 BIND
>> dn="uid=winsync,ou=xx" method=128 version=3
>> [30/Aug/2016:08:28:56 +0200] conn=262 op=0 RESULT err=0 tag=97 nentries=0
>> etime=0 dn="uid=winsync,ou=x"
>> [30/Aug/2016:08:28:56 +0200] conn=262 op=1 SRCH base="ou=usuarios,ou=xxx"
>> scope=2 filter="(ntUserDomainId=jmml01)" attrs=ALL
>> [30/Aug/2016:08:28:56 +0200] conn=262 op=1 RESULT err=0 tag=101
>> nentries=1 etime=0
>> [30/Aug/2016:08:28:56 +0200] conn=263 fd=67 slot=67 SSL connection from
>> A.B.C.D to A1.B1.C1.D1
>> [30/Aug/2016:08:28:56 +0200] conn=263 TLS1.2 256-bit AES
>> [30/Aug/2016:08:28:56 +0200] conn=263 op=0 BIND dn="uid=jmml01,ou=x"
>> method=128 version=3
>> [30/Aug/2016:08:28:56 +0200] conn=263 op=0 RESULT err=53 tag=97
>> nentries=0 etime=0
>> [30/Aug/2016:08:28:56 +0200] conn=263 op=1 UNBIND
>>
>> However if the user was connected on the other controller, the password
>> will be successfully changed. I also believe it's a certificate problem ,
>> I'm going to review my config on that side.
>>
>> Regards!
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> 2016-08-29 20:24 GMT+02:00 Noriko Hosoi :
>>
>>> On 08/29/2016 02:48 AM, Juan Carlos Camargo wrote:
>>>
>>> Hi, 389ds'ers,
>>>
>>> I have two 2012 r2 domain controllers with passsync 1.6 x64 installed.
>>> They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're
>>> working flawlessly.
>>> I dont know if it's been a software update or a change in the domain
>>> settings. Thing is today, one of the controllers has stopped sync'ing.
>>>
>>> Could there be a certificate issue?  Did you have any chance to check
>>> the cert with the tool certutil?
>>>
>>> Also, if you could try binding as the user "uid=juankar,ou=xxx"
>>> using an ldap command over SSL, you may be able to get more info, e.g.,
>>> returned from the server.
>>>
>>> Thanks.
>>>
>>> Whenever I change one password in that controller, the following message
>>> is logged in passsync.log:
>>>
>>> 08/29/16 11:30:07: Password list has 1 entries
>>> 08/29/16 11:30:07: Attempting to sync password for juankar
>>> 08/29/16 11:30:07: Searching for (ntuserdomainid=juankar)
>>> 08/29/16 11:30:07: Checking password failed for remote entry:
>>> uid=juankar,ou=xxx
>>> 08/29/16 11:30:07: Deferring password change for juankar
>>>
>>> and in the server access log I get ldap bind err=53 when the passsync
>>> user tries to check the password:
>>>
>>> [29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from
>>> 
>>> [29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES
>>> [29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND
>>> dn="uid=juankar,ou=xxx" method=128 version=3
>>> [29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97
>>> nentries=0 etime=0
>>> [29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND

[389-users] Re: Strange behaviour password sync , windows 2012 r2

2016-09-02 Thread Juan Carlos Camargo

I've been troubleshooting this issue.
Reinstalled password sync, certificates , verified those certificates. And
the sync started working, the sync user was able to check the remote
password.
Today, again, it's back: Binding with the user returns error 53 :(

09/02/16 09:32:12: Attempting to sync password for juankar
09/02/16 09:32:12: Searching for (ntuserdomainid=juankar)
09/02/16 09:32:12: Checking password failed for remote entry:
uid=juankar,ou=x
09/02/16 09:32:12: Deferring password change for juankar

and the ldap server is responding with error 53:

[02/Sep/2016:09:32:12 +0200] conn=36 op=0 BIND dn="uid=juankar,xxx"
method=128 version=3
[02/Sep/2016:09:32:12 +0200] conn=36 op=0 RESULT err=53 tag=97 nentries=0
etime=0

With ldp , from the affected windows 2012 server and connecting to the
involved ldap server, using ssl I get no errors at all:

res = ldap_simple_bind_s(ld, 'uid=juankar,xx', ); // v.3
Authenticated as: 'uid=juankar,ou=sistemas,ou=eprinsa,ou=usuarios,dc=
metaeprinsa,dc=org'.

Going crazy.








2016-08-30 8:44 GMT+02:00 Juan Carlos Camargo :

> Thank you both for your answers.
> Sorry I should've included more lines in my log.
> Bindings with the passSync user are ok. But after that, the system tries
> to bind with the user whose password is being changed and that's when it
> fails:
>
> This is what happens when user jmml01 changes his password in Windows and
> he was connected to the failing controller:
>
> Windows:
>
> 08/30/16 08:28:56: Attempting to sync password for jmml01
> 08/30/16 08:28:56: Searching for (ntuserdomainid=jmml01)
> 08/30/16 08:28:56: Checking password failed for remote entry:
> uid=jmml01,ou=xxx
> 08/30/16 08:28:56: Deferring password change for jmml01
> 08/30/16 08:28:56: Backing off for 4096000ms
>
> 389ds:
>
> [30/Aug/2016:08:28:56 +0200] conn=262 fd=66 slot=66 SSL connection from
> A.B.C.D to A1.B1.C1.D1
> [30/Aug/2016:08:28:56 +0200] conn=262 TLS1.2 256-bit AES
> [30/Aug/2016:08:28:56 +0200] conn=262 op=0 BIND dn="uid=winsync,ou=xx"
> method=128 version=3
> [30/Aug/2016:08:28:56 +0200] conn=262 op=0 RESULT err=0 tag=97 nentries=0
> etime=0 dn="uid=winsync,ou=x"
> [30/Aug/2016:08:28:56 +0200] conn=262 op=1 SRCH base="ou=usuarios,ou=xxx"
> scope=2 filter="(ntUserDomainId=jmml01)" attrs=ALL
> [30/Aug/2016:08:28:56 +0200] conn=262 op=1 RESULT err=0 tag=101 nentries=1
> etime=0
> [30/Aug/2016:08:28:56 +0200] conn=263 fd=67 slot=67 SSL connection from
> A.B.C.D to A1.B1.C1.D1
> [30/Aug/2016:08:28:56 +0200] conn=263 TLS1.2 256-bit AES
> [30/Aug/2016:08:28:56 +0200] conn=263 op=0 BIND dn="uid=jmml01,ou=x"
> method=128 version=3
> [30/Aug/2016:08:28:56 +0200] conn=263 op=0 RESULT err=53 tag=97 nentries=0
> etime=0
> [30/Aug/2016:08:28:56 +0200] conn=263 op=1 UNBIND
>
> However if the user was connected on the other controller, the password
> will be successfully changed. I also believe it's a certificate problem ,
> I'm going to review my config on that side.
>
> Regards!
>
>
>
>
>
>
>
>
>
>
> 2016-08-29 20:24 GMT+02:00 Noriko Hosoi :
>
>> On 08/29/2016 02:48 AM, Juan Carlos Camargo wrote:
>>
>> Hi, 389ds'ers,
>>
>> I have two 2012 r2 domain controllers with passsync 1.6 x64 installed.
>> They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're
>> working flawlessly.
>> I dont know if it's been a software update or a change in the domain
>> settings. Thing is today, one of the controllers has stopped sync'ing.
>>
>> Could there be a certificate issue?  Did you have any chance to check the
>> cert with the tool certutil?
>>
>> Also, if you could try binding as the user "uid=juankar,ou=xxx" using
>> an ldap command over SSL, you may be able to get more info, e.g., returned
>> from the server.
>>
>> Thanks.
>>
>> Whenever I change one password in that controller, the following message
>> is logged in passsync.log:
>>
>> 08/29/16 11:30:07: Password list has 1 entries
>> 08/29/16 11:30:07: Attempting to sync password for juankar
>> 08/29/16 11:30:07: Searching for (ntuserdomainid=juankar)
>> 08/29/16 11:30:07: Checking password failed for remote entry:
>> uid=juankar,ou=xxx
>> 08/29/16 11:30:07: Deferring password change for juankar
>>
>> and in the server access log I get ldap bind err=53 when the passsync
>> user tries to check the password:
>>
>> [29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from
>> 
>> [29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES
>> [29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND
>> dn="uid=juankar,ou=xxx" method=128 version=3
>> [29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97
>> nentries=0 etime=0
>> [29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND
>> [29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1
>> [29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND
>>
>> Any hints? Could be a problem with certificates? They're both using the
>> same CA (windows CA Cert serv is installed in one of the DCs)

[389-users] Re: Strange behaviour password sync , windows 2012 r2

2016-08-30 Thread Juan Carlos Camargo

Thank you both for your answers.
Sorry I should've included more lines in my log.
Bindings with the passSync user are ok. But after that, the system tries to
bind with the user whose password is being changed and that's when it fails:

This is what happens when user jmml01 changes his password in Windows and
he was connected to the failing controller:

Windows:

08/30/16 08:28:56: Attempting to sync password for jmml01
08/30/16 08:28:56: Searching for (ntuserdomainid=jmml01)
08/30/16 08:28:56: Checking password failed for remote entry:
uid=jmml01,ou=xxx
08/30/16 08:28:56: Deferring password change for jmml01
08/30/16 08:28:56: Backing off for 4096000ms

389ds:

[30/Aug/2016:08:28:56 +0200] conn=262 fd=66 slot=66 SSL connection from
A.B.C.D to A1.B1.C1.D1
[30/Aug/2016:08:28:56 +0200] conn=262 TLS1.2 256-bit AES
[30/Aug/2016:08:28:56 +0200] conn=262 op=0 BIND dn="uid=winsync,ou=xx"
method=128 version=3
[30/Aug/2016:08:28:56 +0200] conn=262 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=winsync,ou=x"
[30/Aug/2016:08:28:56 +0200] conn=262 op=1 SRCH base="ou=usuarios,ou=xxx"
scope=2 filter="(ntUserDomainId=jmml01)" attrs=ALL
[30/Aug/2016:08:28:56 +0200] conn=262 op=1 RESULT err=0 tag=101 nentries=1
etime=0
[30/Aug/2016:08:28:56 +0200] conn=263 fd=67 slot=67 SSL connection from
A.B.C.D to A1.B1.C1.D1
[30/Aug/2016:08:28:56 +0200] conn=263 TLS1.2 256-bit AES
[30/Aug/2016:08:28:56 +0200] conn=263 op=0 BIND dn="uid=jmml01,ou=x"
method=128 version=3
[30/Aug/2016:08:28:56 +0200] conn=263 op=0 RESULT err=53 tag=97 nentries=0
etime=0
[30/Aug/2016:08:28:56 +0200] conn=263 op=1 UNBIND

However if the user was connected on the other controller, the password
will be successfully changed. I also believe it's a certificate problem ,
I'm going to review my config on that side.

Regards!










2016-08-29 20:24 GMT+02:00 Noriko Hosoi :

> On 08/29/2016 02:48 AM, Juan Carlos Camargo wrote:
>
> Hi, 389ds'ers,
>
> I have two 2012 r2 domain controllers with passsync 1.6 x64 installed.
> They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're
> working flawlessly.
> I dont know if it's been a software update or a change in the domain
> settings. Thing is today, one of the controllers has stopped sync'ing.
>
> Could there be a certificate issue?  Did you have any chance to check the
> cert with the tool certutil?
>
> Also, if you could try binding as the user "uid=juankar,ou=xxx" using
> an ldap command over SSL, you may be able to get more info, e.g., returned
> from the server.
>
> Thanks.
>
> Whenever I change one password in that controller, the following message
> is logged in passsync.log:
>
> 08/29/16 11:30:07: Password list has 1 entries
> 08/29/16 11:30:07: Attempting to sync password for juankar
> 08/29/16 11:30:07: Searching for (ntuserdomainid=juankar)
> 08/29/16 11:30:07: Checking password failed for remote entry:
> uid=juankar,ou=xxx
> 08/29/16 11:30:07: Deferring password change for juankar
>
> and in the server access log I get ldap bind err=53 when the passsync user
> tries to check the password:
>
> [29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from
> 
> [29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES
> [29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND
> dn="uid=juankar,ou=xxx" method=128 version=3
> [29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 nentries=0
> etime=0
> [29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND
> [29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1
> [29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND
>
> Any hints? Could be a problem with certificates? They're both using the
> same CA (windows CA Cert serv is installed in one of the DCs)
> Regards!
>
>
>
>
>
>
>
>
> --
> 389-users mailing 
> list389-users@lists.fedoraproject.orghttps://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>
>
>
> --
> 389-users mailing list
> 389-users@lists.fedoraproject.org
> https://lists.fedoraproject.org/admin/lists/389-users@
> lists.fedoraproject.org
>
>
--
389-users mailing list
389-users@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

[389-users] Re: Strange behaviour password sync , windows 2012 r2

2016-08-29 Thread Arpit Tolani

Hello

On Mon, Aug 29, 2016 at 3:18 PM, Juan Carlos Camargo 
wrote:

> Hi, 389ds'ers,
>
> I have two 2012 r2 domain controllers with passsync 1.6 x64 installed.
> They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're
> working flawlessly.
> I dont know if it's been a software update or a change in the domain
> settings. Thing is today, one of the controllers has stopped sync'ing.
> Whenever I change one password in that controller, the following message is
> logged in passsync.log:
>
> 08/29/16 11:30:07: Password list has 1 entries
> 08/29/16 11:30:07: Attempting to sync password for juankar
> 08/29/16 11:30:07: Searching for (ntuserdomainid=juankar)
> 08/29/16 11:30:07: Checking password failed for remote entry:
> uid=juankar,ou=xxx
> 08/29/16 11:30:07: Deferring password change for juankar
>
> and in the server access log I get ldap bind err=53 when the passsync user
> tries to check the password:
>
> [29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from
> 
> [29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES
> [29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND
> dn="uid=juankar,ou=xxx" method=128 version=3
> [29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 nentries=0
> etime=0
> [29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND
>

It looks like BIND failed for that user, Can you use ldp.exe in windows to
connect to RHDS server & check.

Run ldp.exe
Connection > Connect
Enter the rhds server hostname in the server field
Enter port 636 in the port field
Check the SSL box
Click OK

Connection > Bind
Select the 'simple bind' radio button
Enter the DN uid=juankar,ou=xxx
Enter the password for the passsync account in the password field
Click OK



> [29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1
> [29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND
>
> Any hints? Could be a problem with certificates? They're both using the
> same CA (windows CA Cert serv is installed in one of the DCs)
> Regards!
>
>
>
>
>
>
>
> --
> 389-users mailing list
> 389-users@lists.fedoraproject.org
> https://lists.fedoraproject.org/admin/lists/389-users@
> lists.fedoraproject.org
>
>


-- 
Thanks & Regards
Arpit Tolani
--
389-users mailing list
389-users@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

[389-users] Re: Strange behaviour password sync , windows 2012 r2

2016-08-29 Thread Noriko Hosoi


On 08/29/2016 02:48 AM, Juan Carlos Camargo wrote:

Hi, 389ds'ers,

I have two 2012 r2 domain controllers with passsync 1.6 x64 installed. 
They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're 
working flawlessly.
I dont know if it's been a software update or a change in the domain 
settings. Thing is today, one of the controllers has stopped sync'ing.
Could there be a certificate issue?  Did you have any chance to check 
the cert with the tool certutil?


Also, if you could try binding as the user "uid=juankar,ou=xxx" 
using an ldap command over SSL, you may be able to get more info, e.g., 
returned from the server.


Thanks.
Whenever I change one password in that controller, the following 
message is logged in passsync.log:


08/29/16 11:30:07: Password list has 1 entries
08/29/16 11:30:07: Attempting to sync password for juankar
08/29/16 11:30:07: Searching for (ntuserdomainid=juankar)
08/29/16 11:30:07: Checking password failed for remote entry: 
uid=juankar,ou=xxx

08/29/16 11:30:07: Deferring password change for juankar

and in the server access log I get ldap bind err=53 when the passsync 
user tries to check the password:


[29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection 
from 

[29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES
[29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND 
dn="uid=juankar,ou=xxx" method=128 version=3
[29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 
nentries=0 etime=0

[29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND
[29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1
[29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND

Any hints? Could be a problem with certificates? They're both using 
the same CA (windows CA Cert serv is installed in one of the DCs)

Regards!






--
389-users mailing list
389-users@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org



--
389-users mailing list
389-users@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

[389-users] Re: Strange behaviour password sync , windows 2012 r2

[389-users] Re: Strange behaviour password sync , windows 2012 r2

[389-users] Re: Strange behaviour password sync , windows 2012 r2

[389-users] Re: Strange behaviour password sync , windows 2012 r2

[389-users] Re: Strange behaviour password sync , windows 2012 r2

5 matches

Site Navigation

Mail list logo

Footer information