Hello Guy's, I have IPA server 4.5, conected to Windows AD the user replication is ok, but i have strange problem with password sync some user synchronize password without problem but other user account not password synchronize
User ok (can successfully log in)
[....................] User login: pruebas.sistemas First name: Pruebas Last name: Sistemas Home directory: /home/pruebas.sistemas Login shell: /bin/bash Principal alias: pruebas.sistemas@EXAMPLE.COM Email address: pruebas.sistemas@example.com UID: 494205252 GID: 494205252 Account disabled: False Password: True Kerberos keys available: True [....................]
Log ssh auth
[....................] Apr 17 16:45:03 odi-scan sshd[26044]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.191.3.30 user=pruebas.sistemas Apr 17 16:45:05 odi-scan sshd[26041]: Accepted keyboard-interactive/pam for pruebas.sistemas from 10.191.3.30 port 64603 ssh2 Apr 17 16:45:05 odi-scan sshd[26041]: pam_unix(sshd:session): session opened for user pruebas.sistemas by (uid=0) Apr 17 16:45:19 odi-scan sshd[26041]: pam_unix(sshd:session): session closed for user pruebas.sistemas [....................]
User error (can't ssh log in)
[....................] User login: rodrigo.gutierrez First name: Rodrigo Antonio Last name: Gutiérrez Torres Home directory: /home/rodrigo.gutierrez Login shell: /bin/bash Principal alias: rodrigo.gutierrez@EXAMPLE.COM Email address: rodrigo.gutierrez@example.com UID: 494206316 GID: 494206316 Telephone Number: +15013 Job Title: Ingeniero en Sistemas Account disabled: False Password: False Member of groups: admins Member of Sudo rule: admin-log Kerberos keys available: False [....................]
Error to server client:
[....................] Apr 17 17:06:54 odi-scan sshd[27243]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.191.3.30 user=rodrigo.gutierrez Apr 17 17:06:54 odi-scan sshd[27243]: pam_sss(sshd:auth): received for user rodrigo.gutierrez: 17 (Failure setting user credentials) [....................]
Two ssh connection is against the same server .
Regards. Saludos. --- Miguel Coa M.
On ti, 17 huhti 2018, Miguel Angel Coa M. via FreeIPA-users wrote:
Hello Guy's, I have IPA server 4.5, conected to Windows AD the user replication is ok, but i have strange problem with password sync some user synchronize password without problem but other user account not password synchronize
User ok (can successfully log in)
[....................] User login: pruebas.sistemas First name: Pruebas Last name: Sistemas Home directory: /home/pruebas.sistemas Login shell: /bin/bash Principal alias: pruebas.sistemas@EXAMPLE.COM Email address: pruebas.sistemas@example.com UID: 494205252 GID: 494205252 Account disabled: False Password: True Kerberos keys available: True [....................]
Log ssh auth
[....................] Apr 17 16:45:03 odi-scan sshd[26044]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.191.3.30 user=pruebas.sistemas Apr 17 16:45:05 odi-scan sshd[26041]: Accepted keyboard-interactive/pam for pruebas.sistemas from 10.191.3.30 port 64603 ssh2 Apr 17 16:45:05 odi-scan sshd[26041]: pam_unix(sshd:session): session opened for user pruebas.sistemas by (uid=0) Apr 17 16:45:19 odi-scan sshd[26041]: pam_unix(sshd:session): session closed for user pruebas.sistemas [....................]
User error (can't ssh log in)
[....................] User login: rodrigo.gutierrez First name: Rodrigo Antonio Last name: Gutiérrez Torres Home directory: /home/rodrigo.gutierrez Login shell: /bin/bash Principal alias: rodrigo.gutierrez@EXAMPLE.COM Email address: rodrigo.gutierrez@example.com UID: 494206316 GID: 494206316 Telephone Number: +15013 Job Title: Ingeniero en Sistemas Account disabled: False Password: False Member of groups: admins Member of Sudo rule: admin-log Kerberos keys available: False [....................]
Error to server client:
[....................] Apr 17 17:06:54 odi-scan sshd[27243]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.191.3.30 user=rodrigo.gutierrez Apr 17 17:06:54 odi-scan sshd[27243]: pam_sss(sshd:auth): received for user rodrigo.gutierrez: 17 (Failure setting user credentials) [....................]
Two ssh connection is against the same server .
For the second user a login failure is expected because it has no password set on the account.
I guess you'd need to look into passsync logs to understand whether there is a failure in synchronization of the password on a password change in AD. Typical issues might be: - you haven't installed passsync plugin on all DCs and user used a different DC to do a password change where there is no passsync plugin so the password is not intercepted for a sync - user did never change a password since establishing a sync procedure.
Hello Alexander, Thanks for you clarification, the problem was: The user change password in the personal computer but this action hit in other domain controller (balancing) not necessarily where the passsync program is installed so some user hit to AD (with passsync and sync ok) but other user hit to AD2 (without passsync and not sync) . I will install the passsync inside AD2 and will try.
Thanks.
Saludos. --- Miguel Coa M.
2018-04-18 4:03 GMT-03:00 Alexander Bokovoy abokovoy@redhat.com:
On ti, 17 huhti 2018, Miguel Angel Coa M. via FreeIPA-users wrote:
Hello Guy's, I have IPA server 4.5, conected to Windows AD the user replication is ok, but i have strange problem with password sync some user synchronize password without problem but other user account not password synchronize
User ok (can successfully log in)
[....................] User login: pruebas.sistemas First name: Pruebas Last name: Sistemas Home directory: /home/pruebas.sistemas Login shell: /bin/bash Principal alias: pruebas.sistemas@EXAMPLE.COM Email address: pruebas.sistemas@example.com UID: 494205252 GID: 494205252 Account disabled: False Password: True Kerberos keys available: True [....................]
Log ssh auth
[....................] Apr 17 16:45:03 odi-scan sshd[26044]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.191.3.30 user=pruebas.sistemas Apr 17 16:45:05 odi-scan sshd[26041]: Accepted keyboard-interactive/pam for pruebas.sistemas from 10.191.3.30 port 64603 ssh2 Apr 17 16:45:05 odi-scan sshd[26041]: pam_unix(sshd:session): session opened for user pruebas.sistemas by (uid=0) Apr 17 16:45:19 odi-scan sshd[26041]: pam_unix(sshd:session): session closed for user pruebas.sistemas [....................]
User error (can't ssh log in)
[....................] User login: rodrigo.gutierrez First name: Rodrigo Antonio Last name: Gutiérrez Torres Home directory: /home/rodrigo.gutierrez Login shell: /bin/bash Principal alias: rodrigo.gutierrez@EXAMPLE.COM Email address: rodrigo.gutierrez@example.com UID: 494206316 GID: 494206316 Telephone Number: +15013 Job Title: Ingeniero en Sistemas Account disabled: False Password: False Member of groups: admins Member of Sudo rule: admin-log Kerberos keys available: False [....................]
Error to server client:
[....................] Apr 17 17:06:54 odi-scan sshd[27243]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.191.3.30 user=rodrigo.gutierrez Apr 17 17:06:54 odi-scan sshd[27243]: pam_sss(sshd:auth): received for user rodrigo.gutierrez: 17 (Failure setting user credentials) [....................]
Two ssh connection is against the same server .
For the second user a login failure is expected because it has no password set on the account.
I guess you'd need to look into passsync logs to understand whether there is a failure in synchronization of the password on a password change in AD. Typical issues might be:
- you haven't installed passsync plugin on all DCs and user used a different DC to do a password change where there is no passsync plugin so the password is not intercepted for a sync
- user did never change a password since establishing a sync procedure.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ke, 18 huhti 2018, Miguel Angel Coa M. wrote:
Hello Alexander, Thanks for you clarification, the problem was: The user change password in the personal computer but this action hit in other domain controller (balancing) not necessarily where the passsync program is installed so some user hit to AD (with passsync and sync ok) but other user hit to AD2 (without passsync and not sync) . I will install the passsync inside AD2 and will try.
This is one of limitations of the approach with syncing passwords as you have to install a passsync on all DCs. The same applies to any other tools which rely on password quality checks interface in Windows to intercept the passwords as once password is changed, other DCs will see only password hashes and not the plain text anymore.
Thanks.
Saludos.
Miguel Coa M.
2018-04-18 4:03 GMT-03:00 Alexander Bokovoy abokovoy@redhat.com:
On ti, 17 huhti 2018, Miguel Angel Coa M. via FreeIPA-users wrote:
Hello Guy's, I have IPA server 4.5, conected to Windows AD the user replication is ok, but i have strange problem with password sync some user synchronize password without problem but other user account not password synchronize
User ok (can successfully log in)
[....................] User login: pruebas.sistemas First name: Pruebas Last name: Sistemas Home directory: /home/pruebas.sistemas Login shell: /bin/bash Principal alias: pruebas.sistemas@EXAMPLE.COM Email address: pruebas.sistemas@example.com UID: 494205252 GID: 494205252 Account disabled: False Password: True Kerberos keys available: True [....................]
Log ssh auth
[....................] Apr 17 16:45:03 odi-scan sshd[26044]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.191.3.30 user=pruebas.sistemas Apr 17 16:45:05 odi-scan sshd[26041]: Accepted keyboard-interactive/pam for pruebas.sistemas from 10.191.3.30 port 64603 ssh2 Apr 17 16:45:05 odi-scan sshd[26041]: pam_unix(sshd:session): session opened for user pruebas.sistemas by (uid=0) Apr 17 16:45:19 odi-scan sshd[26041]: pam_unix(sshd:session): session closed for user pruebas.sistemas [....................]
User error (can't ssh log in)
[....................] User login: rodrigo.gutierrez First name: Rodrigo Antonio Last name: Gutiérrez Torres Home directory: /home/rodrigo.gutierrez Login shell: /bin/bash Principal alias: rodrigo.gutierrez@EXAMPLE.COM Email address: rodrigo.gutierrez@example.com UID: 494206316 GID: 494206316 Telephone Number: +15013 Job Title: Ingeniero en Sistemas Account disabled: False Password: False Member of groups: admins Member of Sudo rule: admin-log Kerberos keys available: False [....................]
Error to server client:
[....................] Apr 17 17:06:54 odi-scan sshd[27243]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.191.3.30 user=rodrigo.gutierrez Apr 17 17:06:54 odi-scan sshd[27243]: pam_sss(sshd:auth): received for user rodrigo.gutierrez: 17 (Failure setting user credentials) [....................]
Two ssh connection is against the same server .
For the second user a login failure is expected because it has no password set on the account.
I guess you'd need to look into passsync logs to understand whether there is a failure in synchronization of the password on a password change in AD. Typical issues might be:
- you haven't installed passsync plugin on all DCs and user used a different DC to do a password change where there is no passsync plugin so the password is not intercepted for a sync
- user did never change a password since establishing a sync procedure.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Alexander, Thanks for you clarification
Regards..
Saludos. --- Miguel Coa M.
2018-04-19 2:25 GMT-03:00 Alexander Bokovoy abokovoy@redhat.com:
On ke, 18 huhti 2018, Miguel Angel Coa M. wrote:
Hello Alexander, Thanks for you clarification, the problem was: The user change password in the personal computer but this action hit in other domain controller (balancing) not necessarily where the passsync program is installed so some user hit to AD (with passsync and sync ok) but other user hit to AD2 (without passsync and not sync) . I will install the passsync inside AD2 and will try.
This is one of limitations of the approach with syncing passwords as you have to install a passsync on all DCs. The same applies to any other tools which rely on password quality checks interface in Windows to intercept the passwords as once password is changed, other DCs will see only password hashes and not the plain text anymore.
Thanks.
Saludos.
Miguel Coa M.
2018-04-18 4:03 GMT-03:00 Alexander Bokovoy abokovoy@redhat.com:
On ti, 17 huhti 2018, Miguel Angel Coa M. via FreeIPA-users wrote:
Hello Guy's,
I have IPA server 4.5, conected to Windows AD the user replication is ok, but i have strange problem with password sync some user synchronize password without problem but other user account not password synchronize
User ok (can successfully log in)
[....................] User login: pruebas.sistemas First name: Pruebas Last name: Sistemas Home directory: /home/pruebas.sistemas Login shell: /bin/bash Principal alias: pruebas.sistemas@EXAMPLE.COM Email address: pruebas.sistemas@example.com UID: 494205252 GID: 494205252 Account disabled: False Password: True Kerberos keys available: True [....................]
Log ssh auth
[....................] Apr 17 16:45:03 odi-scan sshd[26044]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.191.3.30 user=pruebas.sistemas Apr 17 16:45:05 odi-scan sshd[26041]: Accepted keyboard-interactive/pam for pruebas.sistemas from 10.191.3.30 port 64603 ssh2 Apr 17 16:45:05 odi-scan sshd[26041]: pam_unix(sshd:session): session opened for user pruebas.sistemas by (uid=0) Apr 17 16:45:19 odi-scan sshd[26041]: pam_unix(sshd:session): session closed for user pruebas.sistemas [....................]
User error (can't ssh log in)
[....................] User login: rodrigo.gutierrez First name: Rodrigo Antonio Last name: Gutiérrez Torres Home directory: /home/rodrigo.gutierrez Login shell: /bin/bash Principal alias: rodrigo.gutierrez@EXAMPLE.COM Email address: rodrigo.gutierrez@example.com UID: 494206316 GID: 494206316 Telephone Number: +15013 Job Title: Ingeniero en Sistemas Account disabled: False Password: False Member of groups: admins Member of Sudo rule: admin-log Kerberos keys available: False [....................]
Error to server client:
[....................] Apr 17 17:06:54 odi-scan sshd[27243]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.191.3.30 user=rodrigo.gutierrez Apr 17 17:06:54 odi-scan sshd[27243]: pam_sss(sshd:auth): received for user rodrigo.gutierrez: 17 (Failure setting user credentials) [....................]
Two ssh connection is against the same server .
For the second user a login failure is expected because it has no
password set on the account.
I guess you'd need to look into passsync logs to understand whether there is a failure in synchronization of the password on a password change in AD. Typical issues might be:
- you haven't installed passsync plugin on all DCs and user used a different DC to do a password change where there is no passsync plugin so the password is not intercepted for a sync
- user did never change a password since establishing a sync procedure.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Miguel Angel Coa M.