subject:"\[Freeipa\-users\] Active Directory password sync fails with RC 34"

Re: [Freeipa-users] Active Directory password sync fails with RC 34

2016-06-21 Thread Rich Megginson


Great!  Glad you got that working.

Next step is to use AD trust instead of sync . . .

On 06/21/2016 12:58 AM, Toby Gale wrote:

Thanks for the help Rich.

Looking at the log I noticed some extra characters in the DN that 
corresponds to "Search Base".  I got the Windows admin to share his 
RDP session to the DC and had a look at the registry in 
"HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync". I noticed the same 
characters in the "Search Base" key.  I think the extra characters 
were accidentally copy-pasted from the documentation I sent them.


Removing them and restarting the service has resolved the problem.


On Mon, Jun 20, 2016 at 3:49 PM, Rich Megginson > wrote:


On 06/18/2016 05:47 AM, Toby Gale wrote:


Hello,

After successfully adding a 'winsync' agreement and loading AD
data into FreeIPA I am trying to configure the password sync
software on the domain controllers.

I have installed the certificates and can successfully bind from
the domain controller using ldp.exe and the
'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user.

I have edited the registry to increase logging, by setting
'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I
am seeing the error:

06/17/16 08:47:32: Backoff time expired.  Attempting sync
06/17/16 08:47:32: Password list has 1 entries
06/17/16 08:47:32: Attempting to sync password for some.user
06/17/16 08:47:32: Searching for (ntuserdomainid=some.user)
06/17/16 08:47:32: Ldap error in QueryUsername
34: Invalid DN syntax



Take a look at the 389/dirsrv access log on your linux host at
/var/log/dirsrv/slapd-HOSTNAME/access - see if you can find the
error corresponding to this - it should be at the same approximate
date/time (make sure you check your time zones) and the RESULT
line should have err=34


06/17/16 08:47:32: Deferring password change for some.user
06/17/16 08:47:32: Backing off for 1024000ms

When I run the query from the CLI, it is successful:

$ ldapsearch -x -h ldaps://localhost -p 636 -D
'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w
'password'  -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com'
'(ntuserdomainid=some.user)'

Can anyone help me resolve this?

Thanks.






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Active Directory password sync fails with RC 34

2016-06-21 Thread Toby Gale

Thanks for the help Rich.

Looking at the log I noticed some extra characters in the DN that
corresponds to "Search Base".  I got the Windows admin to share his RDP
session to the DC and had a look at the registry in
"HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync".
I noticed the same characters in the "Search Base" key.  I think the extra
characters were accidentally copy-pasted from the documentation I sent them.

Removing them and restarting the service has resolved the problem.


On Mon, Jun 20, 2016 at 3:49 PM, Rich Megginson  wrote:

> On 06/18/2016 05:47 AM, Toby Gale wrote:
>
> Hello,
>
> After successfully adding a 'winsync' agreement and loading AD data into
> FreeIPA I am trying to configure the password sync software on the domain
> controllers.
>
> I have installed the certificates and can successfully bind from the
> domain controller using ldp.exe and the
> 'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user.
>
> I have edited the registry to increase logging, by setting
> 'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I am seeing
> the error:
>
> 06/17/16 08:47:32: Backoff time expired.  Attempting sync
> 06/17/16 08:47:32: Password list has 1 entries
> 06/17/16 08:47:32: Attempting to sync password for some.user
> 06/17/16 08:47:32: Searching for (ntuserdomainid=some.user)
> 06/17/16 08:47:32: Ldap error in QueryUsername
> 34: Invalid DN syntax
>
>
> Take a look at the 389/dirsrv access log on your linux host at
> /var/log/dirsrv/slapd-HOSTNAME/access - see if you can find the error
> corresponding to this - it should be at the same approximate date/time
> (make sure you check your time zones) and the RESULT line should have err=34
>
> 06/17/16 08:47:32: Deferring password change for some.user
> 06/17/16 08:47:32: Backing off for 1024000ms
>
> When I run the query from the CLI, it is successful:
>
> $ ldapsearch -x -h ldaps://localhost -p 636 -D
> 'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w 'password'
>  -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com'
> '(ntuserdomainid=some.user)'
>
> Can anyone help me resolve this?
>
> Thanks.
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Active Directory password sync fails with RC 34

2016-06-20 Thread Rich Megginson


On 06/18/2016 05:47 AM, Toby Gale wrote:


Hello,

After successfully adding a 'winsync' agreement and loading AD data 
into FreeIPA I am trying to configure the password sync software on 
the domain controllers.


I have installed the certificates and can successfully bind from the 
domain controller using ldp.exe and the 
'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user.


I have edited the registry to increase logging, by setting 
'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I am 
seeing the error:


06/17/16 08:47:32: Backoff time expired.  Attempting sync
06/17/16 08:47:32: Password list has 1 entries
06/17/16 08:47:32: Attempting to sync password for some.user
06/17/16 08:47:32: Searching for (ntuserdomainid=some.user)
06/17/16 08:47:32: Ldap error in QueryUsername
34: Invalid DN syntax



Take a look at the 389/dirsrv access log on your linux host at 
/var/log/dirsrv/slapd-HOSTNAME/access - see if you can find the error 
corresponding to this - it should be at the same approximate date/time 
(make sure you check your time zones) and the RESULT line should have err=34



06/17/16 08:47:32: Deferring password change for some.user
06/17/16 08:47:32: Backing off for 1024000ms

When I run the query from the CLI, it is successful:

$ ldapsearch -x -h ldaps://localhost -p 636 -D 
'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w 
'password'  -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com' 
'(ntuserdomainid=some.user)'


Can anyone help me resolve this?

Thanks.





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Active Directory password sync fails with RC 34

2016-06-18 Thread Toby Gale

Hello,

After successfully adding a 'winsync' agreement and loading AD data into
FreeIPA I am trying to configure the password sync software on the domain
controllers.

I have installed the certificates and can successfully bind from the domain
controller using ldp.exe and the
'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user.

I have edited the registry to increase logging, by setting
'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I am seeing
the error:

06/17/16 08:47:32: Backoff time expired.  Attempting sync
06/17/16 08:47:32: Password list has 1 entries
06/17/16 08:47:32: Attempting to sync password for some.user
06/17/16 08:47:32: Searching for (ntuserdomainid=some.user)
06/17/16 08:47:32: Ldap error in QueryUsername
34: Invalid DN syntax
06/17/16 08:47:32: Deferring password change for some.user
06/17/16 08:47:32: Backing off for 1024000ms

When I run the query from the CLI, it is successful:

$ ldapsearch -x -h ldaps://localhost -p 636 -D
'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w 'password'
 -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com'
'(ntuserdomainid=some.user)'

Can anyone help me resolve this?

Thanks.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Active Directory password sync fails with RC 34

Re: [Freeipa-users] Active Directory password sync fails with RC 34

Re: [Freeipa-users] Active Directory password sync fails with RC 34

[Freeipa-users] Active Directory password sync fails with RC 34

4 matches

Site Navigation

Mail list logo

Footer information