7:17 a.m.
Hello,
We have two Windows server 2003 domain controllers and I installed passsync on both
servers in order to sync password changes to our 389 LDAP. On one domain controller, it
appears passsync is working correctly as I can see in the passsync.log when I change a
password through that domain controller. On the other domain controller, when I change a
password I do not see any activity in the passsync.log at all. I have passsync on both
domain controllers set to verbose logging. I also restarted both domain controllers after
installing passsync.
On the domain controller that is not syncing passwords the log appears as:
02/18/15 07:52:59: PassSync service initialized
02/18/15 07:52:59: PassSync service running
02/18/15 07:52:59: No entries yet
02/18/15 07:52:59: Password list is empty. Waiting for passhook event
Does anyone have an idea of what the issue could be?
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
1:01 p.m.
On 02/18/2015 05:17 AM, Daniel Franciscus wrote:
Hello,
We have two Windows server 2003 domain controllers and I installed
passsync on both servers in order to sync password changes to our 389
LDAP. On one domain controller, it appears passsync is working
correctly as I can see in the passsync.log when I change a password
through that domain controller. On the other domain controller, when I
change a password I do not see any activity in the passsync.log at
all. I have passsync on both domain controllers set to verbose
logging. I also restarted both domain controllers after installing
passsync.
On the domain controller that is not syncing passwords the log appears as:
02/18/15 07:52:59: PassSync service initialized
02/18/15 07:52:59: PassSync service running
02/18/15 07:52:59: No entries yet
02/18/15 07:52:59: Password list is empty. Waiting for passhook event
Does anyone have an idea of what the issue could be?
What is the version of
PassSync? The latest is 1.1.6.
http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html
Did yo have a chance to enable passhook log?
In the regedit, go to: HKEY_LOCAK_MACHINE --> SOFTWARE\PasswordSync
then, set 1 to Log Level.
If you add or modify a password on the Windows Server 2003 domain
cotroller, what do you get? Any errors?
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
1:45 p.m.
Yes, logging is set to 1. No errors at all, as if passsync is not detecting a password
change. I am going to reboot the server after production hours again to see if that
resolves it.
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
----- Original Message -----
From: "Noriko Hosoi" <nhosoi(a)redhat.com>
To: 389-users(a)lists.fedoraproject.org
Sent: Wednesday, February 18, 2015 2:01:41 PM
Subject: Re: [389-users] Passsync not changing passwords
On 02/18/2015 05:17 AM, Daniel Franciscus wrote:
Hello,
We have two Windows server 2003 domain controllers and I installed passsync on both
servers in order to sync password changes to our 389 LDAP. On one domain controller, it
appears passsync is working correctly as I can see in the passsync.log when I change a
password through that domain controller. On the other domain controller, when I change a
password I do not see any activity in the passsync.log at all. I have passsync on both
domain controllers set to verbose logging. I also restarted both domain controllers after
installing passsync.
On the domain controller that is not syncing passwords the log appears as:
02/18/15 07:52:59: PassSync service initialized
02/18/15 07:52:59: PassSync service running
02/18/15 07:52:59: No entries yet
02/18/15 07:52:59: Password list is empty. Waiting for passhook event
Does anyone have an idea of what the issue could be?
What is the version of PassSync? The latest is 1.1.6.
http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html
Did yo have a chance to enable passhook log?
In the regedit, go to: HKEY_LOCAK_MACHINE --> SOFTWARE\PasswordSync
then, set 1 to Log Level.
If you add or modify a password on the Windows Server 2003 domain cotroller, what do you
get? Any errors?
<blockquote>
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
--
389 users mailing list 389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
</blockquote>
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
4:24 p.m.
On 02/18/2015 11:45 AM, Daniel Franciscus wrote:
Yes, logging is set to 1. No errors at all, as if passsync is not
detecting a password change.
Sorry, I was not precise about the passhook log.
cd C:\windows\system32
ls passhook*
You should be able to see 3 files: passhook.dat, passhook.dll, and
passhook.log.
Do you see any logs in the passhook.log file? For instance, my test
shows these messages on successful sync. Do you see them?
02/18/15 14:16:34 user AD_sync_user6 password changed
02/18/15 14:16:34 0 entries loaded from file
02/18/15 14:16:34 1 entries saved to file
If empty even if you update any password on AD, you may need to reboot
the Windows machine...
I am going to reboot the server after production hours again to see
if
that resolves it.
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
------------------------------------------------------------------------
*From: *"Noriko Hosoi" <nhosoi(a)redhat.com>
*To: *389-users(a)lists.fedoraproject.org
*Sent: *Wednesday, February 18, 2015 2:01:41 PM
*Subject: *Re: [389-users] Passsync not changing passwords
On 02/18/2015 05:17 AM, Daniel Franciscus wrote:
Hello,
We have two Windows server 2003 domain controllers and I installed
passsync on both servers in order to sync password changes to our
389 LDAP. On one domain controller, it appears passsync is working
correctly as I can see in the passsync.log when I change a
password through that domain controller. On the other domain
controller, when I change a password I do not see any activity in
the passsync.log at all. I have passsync on both domain
controllers set to verbose logging. I also restarted both domain
controllers after installing passsync.
On the domain controller that is not syncing passwords the log
appears as:
02/18/15 07:52:59: PassSync service initialized
02/18/15 07:52:59: PassSync service running
02/18/15 07:52:59: No entries yet
02/18/15 07:52:59: Password list is empty. Waiting for passhook event
Does anyone have an idea of what the issue could be?
What is the version of PassSync? The latest is 1.1.6.
http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html
Did yo have a chance to enable passhook log?
In the regedit, go to: HKEY_LOCAK_MACHINE --> SOFTWARE\PasswordSync
then, set 1 to Log Level.
If you add or modify a password on the Windows Server 2003 domain
cotroller, what do you get? Any errors?
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
5:19 p.m.
Ah, I do not see passhook.dat or passhook.log. I tried uninstalling and re-installing but
I still do not see those files there.
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
----- Original Message -----
From: "Noriko Hosoi" <nhosoi(a)redhat.com>
To: 389-users(a)lists.fedoraproject.org
Sent: Wednesday, February 18, 2015 5:24:33 PM
Subject: Re: [389-users] Passsync not changing passwords
On 02/18/2015 11:45 AM, Daniel Franciscus wrote:
Yes, logging is set to 1. No errors at all, as if passsync is not detecting a password
change.
Sorry, I was not precise about the passhook log.
cd C:\windows\system32
ls passhook*
You should be able to see 3 files: passhook.dat, passhook.dll, and passhook.log.
Do you see any logs in the passhook.log file? For instance, my test shows these messages
on successful sync. Do you see them?
<blockquote>
02/18/15 14:16:34 user AD_sync_user6 password changed
02/18/15 14:16:34 0 entries loaded from file
02/18/15 14:16:34 1 entries saved to file
</blockquote>
If empty even if you update any password on AD, you may need to reboot the Windows
machine...
<blockquote>
I am going to reboot the server after production hours again to see if that resolves it.
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
----- Original Message -----
From: "Noriko Hosoi" <nhosoi(a)redhat.com>
To: 389-users(a)lists.fedoraproject.org
Sent: Wednesday, February 18, 2015 2:01:41 PM
Subject: Re: [389-users] Passsync not changing passwords
On 02/18/2015 05:17 AM, Daniel Franciscus wrote:
<blockquote>
Hello,
We have two Windows server 2003 domain controllers and I installed passsync on both
servers in order to sync password changes to our 389 LDAP. On one domain controller, it
appears passsync is working correctly as I can see in the passsync.log when I change a
password through that domain controller. On the other domain controller, when I change a
password I do not see any activity in the passsync.log at all. I have passsync on both
domain controllers set to verbose logging. I also restarted both domain controllers after
installing passsync.
On the domain controller that is not syncing passwords the log appears as:
02/18/15 07:52:59: PassSync service initialized
02/18/15 07:52:59: PassSync service running
02/18/15 07:52:59: No entries yet
02/18/15 07:52:59: Password list is empty. Waiting for passhook event
Does anyone have an idea of what the issue could be?
</blockquote>
What is the version of PassSync? The latest is 1.1.6.
http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html
Did yo have a chance to enable passhook log?
In the regedit, go to: HKEY_LOCAK_MACHINE --> SOFTWARE\PasswordSync
then, set 1 to Log Level.
If you add or modify a password on the Windows Server 2003 domain cotroller, what do you
get? Any errors?
<blockquote>
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
--
389 users mailing list 389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
</blockquote>
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list 389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
</blockquote>
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
5:38 p.m.
So I finally figured out the problem in case anyone ever comes across this again.
In order for a password filter to register and to actually capture password changes on a
server, the filename of the DLL must in this key
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages. After
searching the entire registry on both of my domain controllers for the string
"passhook" I saw that the one that was working had passhook in this key and the
one that was not working did not. This key is set during installation of passsync, so for
whatever reason the passsync installation on the non working DC was not able to add that
value. I added the value manually, rebooted and it works.
Just thought you should know in case you ever see this again.
Thanks again for your help though, it pointed me in the direction I needed.
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
----- Original Message -----
From: "Noriko Hosoi" <nhosoi(a)redhat.com>
To: 389-users(a)lists.fedoraproject.org
Sent: Wednesday, February 18, 2015 2:01:41 PM
Subject: Re: [389-users] Passsync not changing passwords
On 02/18/2015 05:17 AM, Daniel Franciscus wrote:
Hello,
We have two Windows server 2003 domain controllers and I installed passsync on both
servers in order to sync password changes to our 389 LDAP. On one domain controller, it
appears passsync is working correctly as I can see in the passsync.log when I change a
password through that domain controller. On the other domain controller, when I change a
password I do not see any activity in the passsync.log at all. I have passsync on both
domain controllers set to verbose logging. I also restarted both domain controllers after
installing passsync.
On the domain controller that is not syncing passwords the log appears as:
02/18/15 07:52:59: PassSync service initialized
02/18/15 07:52:59: PassSync service running
02/18/15 07:52:59: No entries yet
02/18/15 07:52:59: Password list is empty. Waiting for passhook event
Does anyone have an idea of what the issue could be?
What is the version of PassSync? The latest is 1.1.6.
http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html
Did yo have a chance to enable passhook log?
In the regedit, go to: HKEY_LOCAK_MACHINE --> SOFTWARE\PasswordSync
then, set 1 to Log Level.
If you add or modify a password on the Windows Server 2003 domain cotroller, what do you
get? Any errors?
<blockquote>
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
--
389 users mailing list 389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
</blockquote>
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
8:14 p.m.
On 02/24/2015 03:38 PM, Daniel Franciscus wrote:
So I finally figured out the problem in case anyone ever comes across
this again.
In order for a password filter to register and to actually capture
password changes on a server, the filename of the DLL must in this
key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification
Packages. After searching the entire registry on both of my domain
controllers for the string "passhook" I saw that the one that was
working had passhook in this key and the one that was not working did
not. This key is set during installation of passsync, so for whatever
reason the passsync installation on the non working DC was not able to
add that value. I added the value manually, rebooted and it works.
Just thought you should know in case you ever see this again.
Thanks again for your help though, it pointed me in the direction I
needed.
Hello Daniel,
Thank you so much for your investigation and sharing the result with
us. Yes, 'passhook' is supposed to be set in the registry, but somehow
it was not... I'm going to add your finding to the FAQ/troubleshooting
on our wiki port389.org.
PassSync.wxs
<RegistryKey Id='NotPkgs' Root='HKLM'
Key='SYSTEM\ControlSet001\Control\Lsa' ForceCreateOnInstall='yes' >
<RegistryValue Name='Notification Packages'
Type='multiString' Value='passhook'/>
</RegistryKey>
Thanks!
--noriko
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
------------------------------------------------------------------------
*From: *"Noriko Hosoi" <nhosoi(a)redhat.com>
*To: *389-users(a)lists.fedoraproject.org
*Sent: *Wednesday, February 18, 2015 2:01:41 PM
*Subject: *Re: [389-users] Passsync not changing passwords
On 02/18/2015 05:17 AM, Daniel Franciscus wrote:
Hello,
We have two Windows server 2003 domain controllers and I installed
passsync on both servers in order to sync password changes to our
389 LDAP. On one domain controller, it appears passsync is working
correctly as I can see in the passsync.log when I change a
password through that domain controller. On the other domain
controller, when I change a password I do not see any activity in
the passsync.log at all. I have passsync on both domain
controllers set to verbose logging. I also restarted both domain
controllers after installing passsync.
On the domain controller that is not syncing passwords the log
appears as:
02/18/15 07:52:59: PassSync service initialized
02/18/15 07:52:59: PassSync service running
02/18/15 07:52:59: No entries yet
02/18/15 07:52:59: Password list is empty. Waiting for passhook event
Does anyone have an idea of what the issue could be?
What is the version of PassSync? The latest is 1.1.6.
http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html
Did yo have a chance to enable passhook log?
In the regedit, go to: HKEY_LOCAK_MACHINE --> SOFTWARE\PasswordSync
then, set 1 to Log Level.
If you add or modify a password on the Windows Server 2003 domain
cotroller, what do you get? Any errors?
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
3341
days inactive
3348
days old
389-users@lists.fedoraproject.org
6 comments
2 participants
participants (2)
-
Daniel Franciscus -
Noriko Hosoi