Any ideas on this issue?
2016-09-02 9:47 GMT+02:00 Juan Carlos Camargo <juancar...@eprinsa.es>: > I've been troubleshooting this issue. > Reinstalled password sync, certificates , verified those certificates. And > the sync started working, the sync user was able to check the remote > password. > Today, again, it's back: Binding with the user returns error 53 :( > > 09/02/16 09:32:12: Attempting to sync password for juankar > 09/02/16 09:32:12: Searching for (ntuserdomainid=juankar) > 09/02/16 09:32:12: Checking password failed for remote entry: > uid=juankar,ou=xxxxx > 09/02/16 09:32:12: Deferring password change for juankar > > and the ldap server is responding with error 53: > > [02/Sep/2016:09:32:12 +0200] conn=36 op=0 BIND dn="uid=juankar,xxxxxxx" > method=128 version=3 > [02/Sep/2016:09:32:12 +0200] conn=36 op=0 RESULT err=53 tag=97 nentries=0 > etime=0 > > With ldp , from the affected windows 2012 server and connecting to the > involved ldap server, using ssl I get no errors at all: > > res = ldap_simple_bind_s(ld, 'uid=juankar,xxxxxx', <unavailable>); // v.3 > Authenticated as: 'uid=juankar,ou=sistemas,ou=ep > rinsa,ou=usuarios,dc=metaeprinsa,dc=org'. > > Going crazy. > > > > > > > > > 2016-08-30 8:44 GMT+02:00 Juan Carlos Camargo <juancar...@eprinsa.es>: > >> Thank you both for your answers. >> Sorry I should've included more lines in my log. >> Bindings with the passSync user are ok. But after that, the system tries >> to bind with the user whose password is being changed and that's when it >> fails: >> >> This is what happens when user jmml01 changes his password in Windows and >> he was connected to the failing controller: >> >> Windows: >> >> 08/30/16 08:28:56: Attempting to sync password for jmml01 >> 08/30/16 08:28:56: Searching for (ntuserdomainid=jmml01) >> 08/30/16 08:28:56: Checking password failed for remote entry: >> uid=jmml01,ou=xxxxxxx >> 08/30/16 08:28:56: Deferring password change for jmml01 >> 08/30/16 08:28:56: Backing off for 4096000ms >> >> 389ds: >> >> [30/Aug/2016:08:28:56 +0200] conn=262 fd=66 slot=66 SSL connection from >> A.B.C.D to A1.B1.C1.D1 >> [30/Aug/2016:08:28:56 +0200] conn=262 TLS1.2 256-bit AES >> [30/Aug/2016:08:28:56 +0200] conn=262 op=0 BIND >> dn="uid=winsync,ou=xxxxxx" method=128 version=3 >> [30/Aug/2016:08:28:56 +0200] conn=262 op=0 RESULT err=0 tag=97 nentries=0 >> etime=0 dn="uid=winsync,ou=xxxxx" >> [30/Aug/2016:08:28:56 +0200] conn=262 op=1 SRCH base="ou=usuarios,ou=xxx" >> scope=2 filter="(ntUserDomainId=jmml01)" attrs=ALL >> [30/Aug/2016:08:28:56 +0200] conn=262 op=1 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [30/Aug/2016:08:28:56 +0200] conn=263 fd=67 slot=67 SSL connection from >> A.B.C.D to A1.B1.C1.D1 >> [30/Aug/2016:08:28:56 +0200] conn=263 TLS1.2 256-bit AES >> [30/Aug/2016:08:28:56 +0200] conn=263 op=0 BIND dn="uid=jmml01,ou=xxxxx" >> method=128 version=3 >> [30/Aug/2016:08:28:56 +0200] conn=263 op=0 RESULT err=53 tag=97 >> nentries=0 etime=0 >> [30/Aug/2016:08:28:56 +0200] conn=263 op=1 UNBIND >> >> However if the user was connected on the other controller, the password >> will be successfully changed. I also believe it's a certificate problem , >> I'm going to review my config on that side. >> >> Regards! >> >> >> >> >> >> >> >> >> >> >> 2016-08-29 20:24 GMT+02:00 Noriko Hosoi <nho...@redhat.com>: >> >>> On 08/29/2016 02:48 AM, Juan Carlos Camargo wrote: >>> >>> Hi, 389ds'ers, >>> >>> I have two 2012 r2 domain controllers with passsync 1.6 x64 installed. >>> They're both targeting 389-ds-base-1.3.4.9-1.fc22.x86_64 . They're >>> working flawlessly. >>> I dont know if it's been a software update or a change in the domain >>> settings. Thing is today, one of the controllers has stopped sync'ing. >>> >>> Could there be a certificate issue? Did you have any chance to check >>> the cert with the tool certutil? >>> >>> Also, if you could try binding as the user "uid=juankar,ou=xxx...." >>> using an ldap command over SSL, you may be able to get more info, e.g., >>> returned from the server. >>> >>> Thanks. >>> >>> Whenever I change one password in that controller, the following message >>> is logged in passsync.log: >>> >>> 08/29/16 11:30:07: Password list has 1 entries >>> 08/29/16 11:30:07: Attempting to sync password for juankar >>> 08/29/16 11:30:07: Searching for (ntuserdomainid=juankar) >>> 08/29/16 11:30:07: Checking password failed for remote entry: >>> uid=juankar,ou=xxx.... >>> 08/29/16 11:30:07: Deferring password change for juankar >>> >>> and in the server access log I get ldap bind err=53 when the passsync >>> user tries to check the password: >>> >>> [29/Aug/2016:11:30:07 +0200] conn=276 fd=67 slot=67 SSL connection from >>> xxxx >>> [29/Aug/2016:11:30:07 +0200] conn=276 TLS1.2 128-bit AES >>> [29/Aug/2016:11:30:07 +0200] conn=276 op=0 BIND >>> dn="uid=juankar,ou=xxx...." method=128 version=3 >>> [29/Aug/2016:11:30:07 +0200] conn=276 op=0 RESULT err=53 tag=97 >>> nentries=0 etime=0 >>> [29/Aug/2016:11:30:07 +0200] conn=276 op=1 UNBIND >>> [29/Aug/2016:11:30:07 +0200] conn=276 op=1 fd=67 closed - U1 >>> [29/Aug/2016:11:30:07 +0200] conn=275 op=2 UNBIND >>> >>> Any hints? Could be a problem with certificates? They're both using the >>> same CA (windows CA Cert serv is installed in one of the DCs) >>> Regards! >>> >>> >>> >>> >>> >>> >>> >>> >>> -- >>> 389-users mailing >>> list389-users@lists.fedoraproject.orghttps://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>> >>> >>> >>> -- >>> 389-users mailing list >>> 389-users@lists.fedoraproject.org >>> https://lists.fedoraproject.org/admin/lists/389-users@lists. >>> fedoraproject.org >>> >>> >> >
-- 389-users mailing list 389-users@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org