On 7 Dec 2018, at 03:45, Abhisheyk Deb <abhisheykdeb@gmail.com> wrote:

Thank you for your reply. I tried creating a windows sync agreement between the 389 DS and AD Read Only DC(RODC). When I give all the details in the New Windows Sync Agreement screen , it does not give me an error message saying that "Cannot contact active directory server." But when I try to initiate Full Re-synchronization it gives me an error saying "connection error: operation failure - Total update aborted. Error Code:1". But I am seeing all the users and groups properly sync without passwords at the proper target OU in the 389 DS. Can this be a bug or am I missing something?
I don't get this error If I am syncing with an AD Read Write DC(RWDC).

Sorry for the extremely late response,

I don’t have much experience with the winsync plugin, so I am not sure what is happening here.

I do know that in AD RODC’s have different operations and re-key the kdc, and certainly they may not contain a complete set of passwords based on the RODC Denied Replication group. So this could be the cause of the issue.

It may be that you should sync from a full DC to 389 instead.

Regards.

On Wed, Dec 5, 2018 at 3:56 PM William Brown <william@blackhats.net.au> wrote:

On 30 Nov 2018, at 01:30, Abhisheyk Deb <abhisheykdeb@gmail.com> wrote:

I have the following structure AD RWDC(Read Write),  AD RODC(Read Only), and a 389 DS instance.

PassSync will be installed on the  AD RODC and the 389 DS instance will sync with it.

If the users are created on the  AD RWDC and synced with the RODC, can PassSync still intercept passwords in cleartext format, and push them to 389 DS?

I think the answer is “yes” but you won’t get anything from the RODC Denied Replication group (IE domain admins).

_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

—
Sincerely,

William


_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

—
Sincerely,

William