[389-users] active directory password sync

Sergio A. Morales sergiomorales at archlinux.cl
Wed Jan 27 22:23:28 UTC 2010


On Wed, 2010-01-27 at 17:30 -0300, Ldap Tester wrote:
> I have two 389 servers, one under fedora 12 and one under fedora 11.
> They have the following packages:
> 
> 389-admin-1.1.9-1.fc12.x86_64
> 389-admin-console-1.1.4-2.fc12.noarch
> 389-admin-console-doc-1.1.4-2.fc12.noarch
> 389-adminutil-1.1.8-4.fc12.x86_64
> 389-console-1.1.3-5.fc12.noarch
> 389-ds-1.1.3-5.fc12.noarch
> 389-ds-base-1.2.5-1.fc12.x86_64
> 389-ds-base-devel-1.2.5-1.fc12.x86_64
> 389-ds-console-1.2.0-5.fc12.noarch
> 389-ds-console-doc-1.2.0-5.fc12.noarch
> 389-dsgw-1.1.4-1.fc12.x86_64
> 
> 389-admin-1.1.8-4.fc11.x86_64
> 389-admin-console-1.1.4-1.fc11.noarch
> 389-admin-console-doc-1.1.4-1.fc11.noarch
> 389-adminutil-1.1.8-3.fc11.x86_64
> 389-console-1.1.3-4.fc11.noarch
> 389-ds-1.1.3-4.fc11.noarch
> 389-ds-base-1.2.5-1.fc11.x86_64
> 389-ds-base-devel-1.2.5-1.fc11.x86_64
> 389-ds-console-1.2.0-4.fc11.noarch
> 389-ds-console-doc-1.2.0-4.fc11.noarch
> 389-dsgw-1.1.4-1.fc11.x86_64
> 
> There are set up as multi masters.
> 
> I also have a windows 2003 Active Directory server.
> I have password sync'ing set up between the AD and the fedora 12 389
> server.
> 
> This has been working for several years.
> I have recently noticed a problem that may have existed for some time
> now, maybe always.
> 
> If I change a user password via windows, everything works as expected.
> The password changes on windows and both fedora machines.
> If I change a user password via the fedora 12 machine,
> the one that has the sync agreement with the windows machine,
> again, everything works as expected,
> The password changes on windows and both fedora machines.
> 
> However, if I change a user password via the fedora 11 machine,
> the one that does not have the sync agreement with the windows
> machine,
> then, the password changes on both fedora machines,
> but NOT on the windows machine.
> 
> This is not how it is supposed to work, right?
> 
> I have looked at all sorts of logs, and still have now clue as to the
> problem.
> (I do not believe it is a fedora 11 versus fedora 12 problem.)
> Does anybody have any ideas?

I had the same scenario.

Remember that the encrypted passwords are not synchronized with
Windows. 

When you change your password on your F11, it is stored encrypted. Then
MMR transmits "userPassword 'encrypted on your F12. Therefore, the
password does not synchronize with Windows, since as already mentioned,
is encrypted.

In my case, I decided to change to a Master / Slave scenario. Thus, your
F11 will be to read only and such changes will be forwarded to your F12
(this includes passwd) which will be written.


Greetings

P.D.: I apologize for my poor English.
-- 
Sergio A. Morales <sergiomorales at archlinux.cl>
uSCI & CSRG Sysadmin
Archlinux Chile

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20100127/5845cc13/attachment.sig>


More information about the 389-users mailing list