Hi all!
I've succesfully installed fds and passync msi on windows AD. I admit that some probem have arisen since documentation is a bit poor on SSL part, especially on AD, but then finally I was able to make things works.
I'm facing an odd problem that I'm not able to understand, but probably already discussed on the list.
I'm able to take in sync password in AD and FDS when I change password from AD, but not viceversa. Really from Windows event log things seem go right: it tell me that pasword has been succesfully updated (passwd is issued from linux). But that stored password is somewhat different . Could be an encryption problem ? Any hints ?
Regards, Paolo.
Paolo - Maybe your certificates are not set up correctly. You should have the same CA certificate in the database in both FDS and AD. Also, the server certs in each database should be issued by the same certificate authority.
It is convenient to use the Certificate Authority included with recent Microsoft Windows servers to create a CA certificate to import into both databases. You can then create server certificates using the MSCA and import them into their respective databases.
You may also need to import the server certificate from FDS into the database on AD and vice-versa. Once this is done, you should review and possibly modify the trust attributes on all the certs. As you can see from my examples, I used a scatter-gun approach.
You will need to use certutil for all import and modify operations on the certificate databases. "certutil -H" gives a nice reference.
Examples:
sibelius=FD boccherini=AD TWCA=CA
[root@sibelius alias]# ./certutil -L -d . -P slapd-sibelius- TWCA CT,c,c boccherini P,P,P server-cert CTu,cu,cu
C:\Program Files\RHD Password Sync>certutil -L -d . TWCA CT,C,C server-cert Pu,Pu,Pu boccherini P,P,P
Remember to restart FDS and PassSync after making changes. -G.
---------- Original Message ----------- From: Paolo Barbato paolo.barbato@igi.cnr.it To: fedora-directory-users@redhat.com Sent: Thu, 27 Sep 2007 10:06:40 +0200 Subject: [Fedora-directory-users] fds vs passsync vs AD
Hi all!
I've succesfully installed fds and passync msi on windows AD. I admit that some probem have arisen since documentation is a bit poor on SSL part, especially on AD, but then finally I was able to make things works.
I'm facing an odd problem that I'm not able to understand, but probably already discussed on the list.
I'm able to take in sync password in AD and FDS when I change password from AD, but not viceversa. Really from Windows event log things seem go right: it tell me that pasword has been succesfully updated (passwd is issued from linux). But that stored password is somewhat different . Could be an encryption problem ? Any hints ?
Regards, Paolo.
--
--------------------
Paolo Barbato email: mailto:paolo.barbato@igi.cnr.it Network Administrator phone: (39-049)-829-5097 (39-049)-829-5000 Corso Stati Uniti,4 www: http://www.igi.cnr.it 35127 Camin-Padova PGP: http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp ITALY JabberID: rfx_paolo_barbato@messenger.efda.org
--------------------
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
------- End of Original Message -------
Glenn wrote:
Paolo - Maybe your certificates are not set up correctly. You should have the same CA certificate in the database in both FDS and AD. Also, the server certs in each database should be issued by the same certificate authority.
It is convenient to use the Certificate Authority included with recent Microsoft Windows servers to create a CA certificate to import into both databases. You can then create server certificates using the MSCA and import them into their respective databases.
You may also need to import the server certificate from FDS into the database on AD and vice-versa.
You should not need to do this. All that should be required is that each cert db has the cert for that server plus the trusted CA cert.
Once this is done, you should review and possibly modify the trust attributes on all the certs. As you can see from my examples, I used a scatter-gun approach.
You will need to use certutil for all import and modify operations on the certificate databases. "certutil -H" gives a nice reference.
Examples:
sibelius=FD boccherini=AD TWCA=CA
[root@sibelius alias]# ./certutil -L -d . -P slapd-sibelius- TWCA CT,c,c boccherini P,P,P server-cert CTu,cu,cu
C:\Program Files\RHD Password Sync>certutil -L -d . TWCA CT,C,C server-cert Pu,Pu,Pu boccherini P,P,P
Remember to restart FDS and PassSync after making changes. -G.
---------- Original Message ----------- From: Paolo Barbato paolo.barbato@igi.cnr.it To: fedora-directory-users@redhat.com Sent: Thu, 27 Sep 2007 10:06:40 +0200 Subject: [Fedora-directory-users] fds vs passsync vs AD
Hi all!
I've succesfully installed fds and passync msi on windows AD. I admit that some probem have arisen since documentation is a bit poor on SSL part, especially on AD, but then finally I was able to make things works.
I'm facing an odd problem that I'm not able to understand, but probably already discussed on the list.
I'm able to take in sync password in AD and FDS when I change password from AD, but not viceversa. Really from Windows event log things seem go right: it tell me that pasword has been succesfully updated (passwd is issued from linux). But that stored password is somewhat different . Could be an encryption problem ? Any hints ?
Regards, Paolo.
--
Paolo Barbato email: mailto:paolo.barbato@igi.cnr.it Network Administrator phone: (39-049)-829-5097 (39-049)-829-5000 Corso Stati Uniti,4 www: http://www.igi.cnr.it 35127 Camin-Padova PGP: http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp ITALY JabberID: rfx_paolo_barbato@messenger.efda.org
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
------- End of Original Message -------
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Richard Megginson wrote:
Glenn wrote:
Paolo - Maybe your certificates are not set up correctly. You should have the same CA certificate in the database in both FDS and AD. Also, the server certs in each database should be issued by the same certificate authority.
It is convenient to use the Certificate Authority included with recent Microsoft Windows servers to create a CA certificate to import into both databases. You can then create server certificates using the MSCA and import them into their respective databases.
You may also need to import the server certificate from FDS into the database on AD and vice-versa.
You should not need to do this. All that should be required is that each cert db has the cert for that server plus the trusted CA cert.
Once this is done, you should review and possibly modify the trust attributes on all the certs. As you can see from my examples, I used a scatter-gun approach. You will need to use certutil for all import and modify operations on the certificate databases. "certutil -H" gives a nice reference.
[snip]
Just need confirmation. In order for the passsync to work, does FDS first need to have the corresponding users from Windows ADS manually created ? Doesn't Passsync do this automatically? TIA
Peter Santiago wrote:
Richard Megginson wrote:
Glenn wrote:
Paolo - Maybe your certificates are not set up correctly. You should have the same CA certificate in the database in both FDS and AD. Also, the server certs in each database should be issued by the same certificate authority.
It is convenient to use the Certificate Authority included with recent Microsoft Windows servers to create a CA certificate to import into both databases. You can then create server certificates using the MSCA and import them into their respective databases.
You may also need to import the server certificate from FDS into the database on AD and vice-versa.
You should not need to do this. All that should be required is that each cert db has the cert for that server plus the trusted CA cert.
Once this is done, you should review and possibly modify the trust attributes on all the certs. As you can see from my examples, I used a scatter-gun approach. You will need to use certutil for all import and modify operations on the certificate databases. "certutil -H" gives a nice reference.
[snip]
Just need confirmation. In order for the passsync to work, does FDS first need to have the corresponding users from Windows ADS manually created ? Doesn't Passsync do this automatically? TIA
Not passsync (the AD "plug-in" that only sync passwords one way from AD to FDS) but winsync (the component that runs in FDS that pushes user, group, and password changes to AD, and pulls user and group changes from AD to FDS).
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Richard Megginson wrote: [SNIP]
Not passsync (the AD "plug-in" that only sync passwords one way from AD to FDS) but winsync (the component that runs in FDS that pushes user, group, and password changes to AD, and pulls user and group changes from AD to FDS).
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Winsync? I hope you can point where I can find this? Is this alreadty included by default with FDS 1.0.4? Or do I have to download and compile this tool?
Thank a lot...
Peter Santiago wrote:
Richard Megginson wrote: [SNIP]
Not passsync (the AD "plug-in" that only sync passwords one way from AD to FDS) but winsync (the component that runs in FDS that pushes user, group, and password changes to AD, and pulls user and group changes from AD to FDS).
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Winsync? I hope you can point where I can find this? Is this alreadty included by default with FDS 1.0.4? Or do I have to download and compile this tool?
Winsync is built into Fedora DS 1.0.4 - http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267
Thank a lot...
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Is there a Passsync.exe or Winsync.exe for Active Directory to OpenLDAP integration (not using Fedora-DS) at the moment?
Thanks, Pedram M
On Fri, 2007-09-28 at 13:51 -0600, Richard Megginson wrote:
Peter Santiago wrote:
Richard Megginson wrote: [SNIP]
Not passsync (the AD "plug-in" that only sync passwords one way from AD to FDS) but winsync (the component that runs in FDS that pushes user, group, and password changes to AD, and pulls user and group changes from AD to FDS).
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Winsync? I hope you can point where I can find this? Is this alreadty included by default with FDS 1.0.4? Or do I have to download and compile this tool?
Winsync is built into Fedora DS 1.0.4 - http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267
Thank a lot...
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Pedram M wrote:
Is there a Passsync.exe or Winsync.exe for Active Directory to OpenLDAP integration (not using Fedora-DS) at the moment?
I don't know. I don't know if passsync.exe (there is no winsync.exe) will work with OpenLDAP.
Thanks, Pedram M
On Fri, 2007-09-28 at 13:51 -0600, Richard Megginson wrote:
Peter Santiago wrote:
Richard Megginson wrote: [SNIP]
Not passsync (the AD "plug-in" that only sync passwords one way from AD to FDS) but winsync (the component that runs in FDS that pushes user, group, and password changes to AD, and pulls user and group changes from AD to FDS).
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Winsync? I hope you can point where I can find this? Is this alreadty included by default with FDS 1.0.4? Or do I have to download and compile this tool?
Winsync is built into Fedora DS 1.0.4 - http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267
Thank a lot...
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Thanks for reply, but I suspect I'm facing a different problem.
Talking about SSL.
As far as I understand SSL is used both for passync (AD -> FDS) and replication agreement (AD <-> FDS). Note two different tasks.
In first case work cert.db8 certificates. I've installed on both AD and FDS, my CA certificate and FDS server certificate. Passync works without a hic. When I change pasword from windows it's exactly set on FDS.
Replication agreement is based on cert.db8 on FDS and MS architecture on AD, I mean that I make use of mmc to install CA and AD server signed certificate.
Replication seems also work, since I see that AD and FDS users are "merged" in one (almost) identical list. So users that were in AD are created on FDS and viceversa, with (almost) all parameters setted.
My problem arise when from a linux machine authenticated on FDS I issue and passwd change password. Really all seems go right, since FDS register new password, and also AD tell me that the change has been committed :
first event User Account Changed: Target Account Name: barbato Target Domain: TEST Target Account ID: TEST\barbato Caller User Name: sync manager Caller Domain: TEST Caller Logon ID: (0x0,0x318F76) Privileges: - Changed Attributes: Sam Account Name: - Display Name: - User Principal Name: - Home Directory: - and after a while a second security event:
User Account password set: Target Account Name: barbato Target Domain: TEST Target Account ID: TEST\barbato Caller User Name: sync manager Caller Domain: TEST Caller Logon ID: (0x0,0x318F76)
But when I try to log on AD with this new password AD tell me that I'm usinig the wrong one. Note that also the previous doesn't work, and this confirm that it has been really changed.
Anybody has faced this ? Some other things to look into ?
Regards, Paolo.
At 13:49 -0600 27-09-2007, Richard Megginson wrote:
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms080709050607070004030508"
Glenn wrote:
Paolo - Maybe your certificates are not set up correctly. You should have the same CA certificate in the database in both FDS and AD. Also, the server certs in each database should be issued by the same certificate authority.
It is convenient to use the Certificate Authority included with recent Microsoft Windows servers to create a CA certificate to import into both databases. You can then create server certificates using the MSCA and import them into their respective databases.
You may also need to import the server certificate from FDS into the database on AD and vice-versa.
You should not need to do this. All that should be required is that each cert db has the cert for that server plus the trusted CA cert.
Once this is done, you should review and possibly modify the trust attributes on all the certs. As you can see from my examples, I used a scatter-gun approach. You will need to use certutil for all import and modify operations on the certificate databases. "certutil -H" gives a nice reference.
Examples: sibelius=FD boccherini=AD TWCA=CA
[root@sibelius alias]# ./certutil -L -d . -P slapd-sibelius- TWCA CT,c,c boccherini P,P,P server-cert CTu,cu,cu
C:\Program Files\RHD Password Sync>certutil -L -d . TWCA CT,C,C server-cert Pu,Pu,Pu boccherini P,P,P
Remember to restart FDS and PassSync after making changes. -G.
---------- Original Message ----------- From: Paolo Barbato paolo.barbato@igi.cnr.it To: fedora-directory-users@redhat.com Sent: Thu, 27 Sep 2007 10:06:40 +0200 Subject: [Fedora-directory-users] fds vs passsync vs AD
Hi all!
I've succesfully installed fds and passync msi on windows AD. I admit that some probem have arisen since documentation is a bit poor on SSL part, especially on AD, but then finally I was able to make things works.
I'm facing an odd problem that I'm not able to understand, but probably already discussed on the list.
I'm able to take in sync password in AD and FDS when I change password from AD, but not viceversa. Really from Windows event log things seem go right: it tell me that pasword has been succesfully updated (passwd is issued from linux). But that stored password is somewhat different . Could be an encryption problem ? Any hints ?
Regards, Paolo.
--
Paolo Barbato email: mailto:paolo.barbato@igi.cnr.it Network Administrator phone: (39-049)-829-5097 (39-049)-829-5000 Corso Stati Uniti,4 www: http://www.igi.cnr.it 35127 Camin-Padova PGP: http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp ITALY JabberID: rfx_paolo_barbato@messenger.efda.org
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
------- End of Original Message -------
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
--===============1715542137== Content-Type: text/plain; name="smime.p7s" ; x-mac-type="65417070" ; x-mac-creator="43534F6D" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: imap_stub
0,118924,1.2,4448,0,
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org