administrator created w/out shadowAccount object
by Maurizio Marini
i cannot believe...but it's true ;(
the scenario:
Centos 5.3 fully updated, Fedora that one i downloded by repository for Centos
5.3 last saturday
samba:
rpm -qa |grep samba
system-config-samba-1.2.41-3.el5
samba-client-3.0.33-3.7.el5
samba-common-3.0.33-3.7.el5
samba-3.0.33-3.7.el5
rpm -qa |grep fedora
fedora-ds-base-1.2.0-2.fc6
fedora-ds-dsgw-1.1.2-1.fc6
fedora-ds-admin-1.1.7-3.fc6
fedora-ds-1.1.3-1.fc6
fedora-ds-console-1.2.0-1.fc6
fedora-ds-admin-console-1.1.3-1.fc6
fedora-idm-console-1.1.3-1.fc6
samba is pdc with fds backend
trying to change Administrator pasword using smbldap-passwd i get:
Failed to modify UNIX password: attribute "shadowLastChange" not allowed
changing for test user is fine
checking with admin console i find that Administrator is without shadowAccount
object.
i folowed the samba howto to installa pdc, but i recovered a backup of
previous pdc server taht was damaged and reinstalled
my question is: when is added this object and who adds it?
tia
m.
--
Maurizio Marini Via Collemare, 14 - 61039 San Costanzo (PU) - Italy
GSM +39-335-8259739 RTG : +39-0721950396 0721870286
Skype: maumar(a)datalogica.com
C.F. MRNMRZ59E17G920X P. Iva: 01332360419
14 years, 9 months
no admin console after changing dirmanager password
by Maurizio Marini
I have changed Dir Manager password
as explained here:
http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword
after the change and restart, i checked as suggested:
ldapsearch -x -D "cn=directory manager" -w newpassword -s base -b "" "objectclass=*"
all seems ok
but...
fedora-idm-console allow access but after access all is blank
this is the log:
[Sun Jul 12 15:25:14 2009] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
[Sun Jul 12 15:25:14 2009] [notice] [client 127.0.0.1] admserv_host_ip_check: host [localhost.localdomain] did not match pattern [*.xxxxxx.it] -will scan aliases
[Sun Jul 12 15:25:14 2009] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [localhost] did not match pattern [*.xxxxxx.it]
[Sun Jul 12 15:25:14 2009] [notice] [client 127.0.0.1] admserv_check_authz(): passing [/admin-serv/authenticate] to the userauth handler
i dunno where i failed, i supposed that my editor had splitted lines longer
than 80 chars into dse.ldif but now i see (after reinstalled fds) that in dse.ldif lines are wrapped.
-m
14 years, 9 months
Re: [389-users] Re: Password lookup to AD
by Prashanth Sundaram
Thank you Rich,
³so if you have some PAM module that can auth against AD (except LDAP which
probably won't work) you can configure PAM passthrough to pass the auth to
that PAM module, then to AD²
Are you implying, the FDS will go out of picture with PAM? I mean, can I
still use FDS to check the uid attribute and then pass it to PAM?
I am sorry, but I am not getting the flow clearly.
Can you type in rough, how the flow goes? (Hopefully someone might come this
way and find this helpful)
14 years, 9 months
Password lookup to AD
by Prashanth Sundaram
Hi,
Is it possible to have Fedora DS and have the password lookup redirected to
Active Directory? Some kind of proxy lookup. Take the case of Mac OS X
server and clients, they have Open Directory and the password manager can
authenticate against the Active Directory.
Is it possible to have FDS without the password?
So I would like to know, is it possible to achieve the same for FDS using
Samba, Winbind or NSS?? Is it possible that the FDS has all the user
permissions and special groups but the authentication is turned to AD. I
know the passwords are hashed by Kerberos and hope we can achieve this with
some effort.
A useful post by Microsoft
http://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx?pr=blog
Thanks,
Prashanth
14 years, 9 months
Strange replication error
by Dumbo Q
I have 2 servers setup for MMR. It seemed to be working fine (although I've only had it running for a few hours). Today I installed a new SSL certificate on both servers. They both came back up fine, and SSL is working perfectly.
However I noticed that replication has stopped. Here is the error message that I am getting. I've looked around and can't find any information about it. I imagine I could probably reinitialize, but I would really like to know what went wrong.
[10/Jul/2009:11:22:13 -0400] - CentOS-Directory/8.1.0 B2009.134.1334 starting up
[10/Jul/2009:11:22:13 -0400] - I'm resizing my cache now...cache was 20000000 and is now 8000000
[10/Jul/2009:11:22:13 -0400] - skipping cos definition cn=nsAccountInactivation_cos,dc=mydomain,dc=com--no templates found
[10/Jul/2009:11:22:13 -0400] - _csngen_parse_state: replica id mismatch; current id - 1, replica id in the state - 65535
[10/Jul/2009:11:22:13 -0400] NSMMReplicationPlugin - _replica_init_from_config: failed to create csn generator for replica (cn=replica,cn=\22dc=mydomain, dc=com\22,cn=mapping tree,cn=config)
[10/Jul/2009:11:22:13 -0400] NSMMReplicationPlugin - Unable to configure replica dc=mydomain, dc=com: failed to create csn generator for replica (cn=replica,cn=\22dc=mydomain, dc=com\22,cn=mapping tree,cn=config)
[10/Jul/2009:11:22:13 -0400] - skipping cos definition cn=nsAccountInactivation_cos,dc=mydomain,dc=com--no templates found
[10/Jul/2009:11:22:13 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests
[10/Jul/2009:11:22:13 -0400] - Listening on All Interfaces port 636 for LDAPS requests
[10/Jul/2009:12:08:52 -0400] NSMMReplicationPlugin - conn=18 op=3 replica="unknown": Unable to acquire replica: error: no such replica
14 years, 9 months
Alternative way to sync password
by Prashanth Sundaram
Hello folks,
I would like to test all the options for password sync between Fedora DS and
Active Directory. Isn¹t there an alternative to this??
1. Win Sync Agreement and PassSync.msi
2. ???
3. ???
Note: I need only passwords to sync, User accounts and groups are optional.
Thanks
Prashanth
14 years, 9 months
Re: Strange replication error
by Dumbo Q
Any ideas?
I'll probably try reinitializing the bad server again, but it is a little uncomfortably not knowing what caused this to break. I looked around on google but all i found was another person with the same problem, and no responses to his posting.
________________________________
From: Dumbo Q <dumboq(a)yahoo.com>
To: fedora-directory-users(a)redhat.com
Sent: Friday, July 10, 2009 2:38:28 PM
Subject: Strange replication error
I have 2 servers setup for MMR. It seemed to be working fine (although I've only had it running for a few hours). Today I installed a new SSL certificate on both servers. They both came back up fine, and SSL is working perfectly.
However I noticed that replication has stopped. Here is the error message that I am getting. I've looked around and can't find any information about it. I imagine I could probably reinitialize, but I would really like to know what went wrong.
[10/Jul/2009:11:22:13 -0400] - CentOS-Directory/8.1.0 B2009.134.1334 starting up
[10/Jul/2009:11:22:13 -0400] - I'm resizing my cache now...cache was 20000000 and is now 8000000
[10/Jul/2009:11:22:13 -0400] - skipping cos definition cn=nsAccountInactivation_cos,dc=mydomain,dc=com--no templates found
[10/Jul/2009:11:22:13 -0400] - _csngen_parse_state: replica id mismatch; current id - 1, replica id in the state - 65535
[10/Jul/2009:11:22:13 -0400] NSMMReplicationPlugin - _replica_init_from_config: failed to create csn generator for replica (cn=replica,cn=\22dc=mydomain, dc=com\22,cn=mapping tree,cn=config)
[10/Jul/2009:11:22:13 -0400] NSMMReplicationPlugin - Unable to configure replica dc=mydomain, dc=com: failed to create csn generator for replica (cn=replica,cn=\22dc=mydomain, dc=com\22,cn=mapping tree,cn=config)
[10/Jul/2009:11:22:13 -0400] - skipping cos definition cn=nsAccountInactivation_cos,dc=mydomain,dc=com--no templates found
[10/Jul/2009:11:22:13 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests
[10/Jul/2009:11:22:13 -0400] - Listening on All Interfaces port 636 for LDAPS requests
[10/Jul/2009:12:08:52 -0400] NSMMReplicationPlugin - conn=18 op=3 replica="unknown": Unable to acquire replica: error: no such replica
14 years, 9 months
FDS user accounts how to ??
by Arun Shrimali
Dear All,
I have setup FDS (389) (FDS 1.1.3-1.FC11) on Fedora 11, I have followed the
installation process, which went fairly. Now I have FDS running.
I want my users on LAN (windows / Linux) to authenticate (while booting) and
access to their home folders.
Will creating users through FDS would be sufficient our I have install /
configure few more things. An easy howto of a GUI tool would be helpful.
regards
Arun
14 years, 9 months
samba pdc + fedora directory server
by Sachin Gopal
Hi,
I have a existing openldap server running with samba pdc. If I move the
existing to
fedora directory server would all the existing users password be same ? Or
is there
some hack on this.
--
Sachin Gopal
14 years, 9 months
Password synchronization between AD and FDS
by Prashanth Sundaram
Hello,
I am in the process of setting up the Fedora DS as our main development LDAP
server. I would like to know all the possible ways to sync the password
between AD and FDS.
Please forgive me, if I am repeating any questions already posted on this
forum.
Question1: Is FDS and Password sync Enterprise ready? I am afraid the
password Sync can break anytime. Also our Windows admins are very skeptical
to install a plug-in like PassSync.
Question2: How can I make sure the service is running without any problems
on MS server 2003? Any checks or notification system?
Question3: Has any one tried the Windows Services for Unix 3.5, Password
Synchronization between AD and UNIX?
Question4: What other password sync mechanisms can I try, even if it
requires hours of configuring.
Thanks,
Prashanth
14 years, 9 months