Re: [Freeipa-users] Winsync agreement password sync failing for specific user on the IPA side

Tue, 12 Apr 2016 06:08:30 -0700

Sorry for the noise, I did some backtracking in the mailing list archives and found a conversation from December 2015 regarding the same issue with a nice bugzilla attached https://bugzilla.redhat.com/show_bug.cgi?id=1287092, I'll try to work around the issue with group nesting. 

/andreas

On 04/12/2016 02:41 PM, Andreas Calminder wrote:

Hello,
I've got a pretty strange problem with FreeIPA 4.2.0-15.el7 running on a rhel 7.2 and wondering if anyone can shed some light on it. I've setup a winsync agreement and it seems to be working fine, stuff gets synced from the AD to IPA. I've also got the PassSync application installed on all windows domain controllers and it's behaving a bit unexpected. It would seem that password changes, initiated on the windows side does not work for my user, however a change for another user pass just fine. 

From the passsync.log from the same Windows DC:

User:
04/08/16 16:29:12: Attempting to sync password for user1
04/08/16 16:29:12: Searching for (ntuserdomainid=user1)
04/08/16 16:29:12: Password modified for remote entry: uid=user1,cn=users,cn=accounts,dc=linux,dc=se 
04/08/16 16:29:12: Removing password change from list

Me:
04/08/16 16:31:45: Searching for (ntuserdomainid=me)
04/08/16 16:31:45: Ldap error in ModifyPassword
        50: Insufficient access
04/08/16 16:31:45: Modify password failed for remote entry: uid=me,cn=users,cn=accounts,dc=linux,dc=se 
04/08/16 16:31:45: Deferring password change for me
04/08/16 16:31:45: Backing off for 2000ms
Are there different permissions per user or do the passsync user on the IPA side need to update it's permissions (the user me is an IPA administrator)?
I'm currently running an older ipa version 3.0.0-37.el6 against the same DC's, same passync user and password where this works. It also works fine in my test environment (4.2.0). Am I missing something obvious or am I doing something wrong? 

Best regards,
Andreas



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to