Re: [Freeipa-users] Active Directory password sync fails with RC 34
Great! Glad you got that working. Next step is to use AD trust instead of sync . . . On 06/21/2016 12:58 AM, Toby Gale wrote: Thanks for the help Rich. Looking at the log I noticed some extra characters in the DN that corresponds to "Search Base". I got the Windows admin to share his RDP session to the DC and had a look at the registry in "HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync". I noticed the same characters in the "Search Base" key. I think the extra characters were accidentally copy-pasted from the documentation I sent them. Removing them and restarting the service has resolved the problem. On Mon, Jun 20, 2016 at 3:49 PM, Rich Megginson> wrote: On 06/18/2016 05:47 AM, Toby Gale wrote: Hello, After successfully adding a 'winsync' agreement and loading AD data into FreeIPA I am trying to configure the password sync software on the domain controllers. I have installed the certificates and can successfully bind from the domain controller using ldp.exe and the 'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user. I have edited the registry to increase logging, by setting 'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I am seeing the error: 06/17/16 08:47:32: Backoff time expired. Attempting sync 06/17/16 08:47:32: Password list has 1 entries 06/17/16 08:47:32: Attempting to sync password for some.user 06/17/16 08:47:32: Searching for (ntuserdomainid=some.user) 06/17/16 08:47:32: Ldap error in QueryUsername 34: Invalid DN syntax Take a look at the 389/dirsrv access log on your linux host at /var/log/dirsrv/slapd-HOSTNAME/access - see if you can find the error corresponding to this - it should be at the same approximate date/time (make sure you check your time zones) and the RESULT line should have err=34 06/17/16 08:47:32: Deferring password change for some.user 06/17/16 08:47:32: Backing off for 1024000ms When I run the query from the CLI, it is successful: $ ldapsearch -x -h ldaps://localhost -p 636 -D 'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w 'password' -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com' '(ntuserdomainid=some.user)' Can anyone help me resolve this? Thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory password sync fails with RC 34
Thanks for the help Rich. Looking at the log I noticed some extra characters in the DN that corresponds to "Search Base". I got the Windows admin to share his RDP session to the DC and had a look at the registry in "HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync". I noticed the same characters in the "Search Base" key. I think the extra characters were accidentally copy-pasted from the documentation I sent them. Removing them and restarting the service has resolved the problem. On Mon, Jun 20, 2016 at 3:49 PM, Rich Megginsonwrote: > On 06/18/2016 05:47 AM, Toby Gale wrote: > > Hello, > > After successfully adding a 'winsync' agreement and loading AD data into > FreeIPA I am trying to configure the password sync software on the domain > controllers. > > I have installed the certificates and can successfully bind from the > domain controller using ldp.exe and the > 'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user. > > I have edited the registry to increase logging, by setting > 'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I am seeing > the error: > > 06/17/16 08:47:32: Backoff time expired. Attempting sync > 06/17/16 08:47:32: Password list has 1 entries > 06/17/16 08:47:32: Attempting to sync password for some.user > 06/17/16 08:47:32: Searching for (ntuserdomainid=some.user) > 06/17/16 08:47:32: Ldap error in QueryUsername > 34: Invalid DN syntax > > > Take a look at the 389/dirsrv access log on your linux host at > /var/log/dirsrv/slapd-HOSTNAME/access - see if you can find the error > corresponding to this - it should be at the same approximate date/time > (make sure you check your time zones) and the RESULT line should have err=34 > > 06/17/16 08:47:32: Deferring password change for some.user > 06/17/16 08:47:32: Backing off for 1024000ms > > When I run the query from the CLI, it is successful: > > $ ldapsearch -x -h ldaps://localhost -p 636 -D > 'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w 'password' > -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com' > '(ntuserdomainid=some.user)' > > Can anyone help me resolve this? > > Thanks. > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory password sync fails with RC 34
On 06/18/2016 05:47 AM, Toby Gale wrote: Hello, After successfully adding a 'winsync' agreement and loading AD data into FreeIPA I am trying to configure the password sync software on the domain controllers. I have installed the certificates and can successfully bind from the domain controller using ldp.exe and the 'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user. I have edited the registry to increase logging, by setting 'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I am seeing the error: 06/17/16 08:47:32: Backoff time expired. Attempting sync 06/17/16 08:47:32: Password list has 1 entries 06/17/16 08:47:32: Attempting to sync password for some.user 06/17/16 08:47:32: Searching for (ntuserdomainid=some.user) 06/17/16 08:47:32: Ldap error in QueryUsername 34: Invalid DN syntax Take a look at the 389/dirsrv access log on your linux host at /var/log/dirsrv/slapd-HOSTNAME/access - see if you can find the error corresponding to this - it should be at the same approximate date/time (make sure you check your time zones) and the RESULT line should have err=34 06/17/16 08:47:32: Deferring password change for some.user 06/17/16 08:47:32: Backing off for 1024000ms When I run the query from the CLI, it is successful: $ ldapsearch -x -h ldaps://localhost -p 636 -D 'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w 'password' -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com' '(ntuserdomainid=some.user)' Can anyone help me resolve this? Thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Active Directory password sync fails with RC 34
Hello, After successfully adding a 'winsync' agreement and loading AD data into FreeIPA I am trying to configure the password sync software on the domain controllers. I have installed the certificates and can successfully bind from the domain controller using ldp.exe and the 'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user. I have edited the registry to increase logging, by setting 'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I am seeing the error: 06/17/16 08:47:32: Backoff time expired. Attempting sync 06/17/16 08:47:32: Password list has 1 entries 06/17/16 08:47:32: Attempting to sync password for some.user 06/17/16 08:47:32: Searching for (ntuserdomainid=some.user) 06/17/16 08:47:32: Ldap error in QueryUsername 34: Invalid DN syntax 06/17/16 08:47:32: Deferring password change for some.user 06/17/16 08:47:32: Backing off for 1024000ms When I run the query from the CLI, it is successful: $ ldapsearch -x -h ldaps://localhost -p 636 -D 'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w 'password' -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com' '(ntuserdomainid=some.user)' Can anyone help me resolve this? Thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project