Hi,
We''ve installed FDS, AD and a replication agrement.
FDS data/passwords sync with AD
AD passwords sync with FDS.
2 pbs are still unsolved :
- AD modifications (name, surname, mail) are not send or catched in FDS
- Passwords are not recognized after a Full init.
FDS => AD full init = unable to log on AD (even if we manually
activate the account)
FDS -> AD passwd update = passwd ok in AD
Anyone has an idea ?
--
=========================================Emmanuel BILLOT
IRD - Orléans
Délégation aux Systèmes d''Information (DSI)
tél : 02 38 49 95 88
==========================================
Emmanuel BILLOT wrote:> Hi, > > We''ve installed FDS, AD and a replication agrement. > FDS data/passwords sync with AD > AD passwords sync with FDS. > > 2 pbs are still unsolved : > - AD modifications (name, surname, mail) are not send or catched in FDSI suppose you could enable the replication log level and see why this is not working. Note that changes may take up to 5 minutes to sync over to Fedora DS due to the way the sync works using the DirSync control. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting> - Passwords are not recognized after a Full init. > FDS => AD full init = unable to log on AD (even if we manually > activate the account)Right. Passwords are not synced during full init. Full init only uses passwords in the database which are hashed and do not sync.> FDS -> AD passwd update = passwd ok in ADRight. Passwd update uses clear text passwords.> > Anyone has an idea ? >
Rich Megginson a écrit :> Emmanuel BILLOT wrote: >> Hi, >> >> We''ve installed FDS, AD and a replication agrement. >> FDS data/passwords sync with AD >> AD passwords sync with FDS. >> >> 2 pbs are still unsolved : >> - AD modifications (name, surname, mail) are not send or catched in FDS > I suppose you could enable the replication log level and see why this > is not working. Note that changes may take up to 5 minutes to sync > over to Fedora DS due to the way the sync works using the DirSync > control. > http://directory.fedoraproject.org/wiki/FAQ#TroubleshootingI(ve enabled it but nothing else more than an empty replication try... I thought FDS connect to AD and "ldapsearch" modified entries. I can''t see any request or update try.>> - Passwords are not recognized after a Full init. >> FDS => AD full init = unable to log on AD (even if we manually >> activate the account) > Right. Passwords are not synced during full init. Full init only > uses passwords in the database which are hashed and do not sync. >> FDS -> AD passwd update = passwd ok in AD > Right. Passwd update uses clear text passwords. >> >> Anyone has an idea ? >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >-- =========================================Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d''Information (DSI) tél : 02 38 49 95 88 ==========================================
Emmanuel BILLOT wrote:> Rich Megginson a écrit : >> Emmanuel BILLOT wrote: >>> Hi, >>> >>> We''ve installed FDS, AD and a replication agrement. >>> FDS data/passwords sync with AD >>> AD passwords sync with FDS. >>> >>> 2 pbs are still unsolved : >>> - AD modifications (name, surname, mail) are not send or catched in FDS >> I suppose you could enable the replication log level and see why this >> is not working. Note that changes may take up to 5 minutes to sync >> over to Fedora DS due to the way the sync works using the DirSync >> control. >> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > I(ve enabled it but nothing else more than an empty replication try... > I thought FDS connect to AD and "ldapsearch" modified entries. I can''t > see any request or update try.Yes. That''s what it is supposed to do, if the init succeeded.>>> - Passwords are not recognized after a Full init. >>> FDS => AD full init = unable to log on AD (even if we manually >>> activate the account) >> Right. Passwords are not synced during full init. Full init only >> uses passwords in the database which are hashed and do not sync. >>> FDS -> AD passwd update = passwd ok in AD >> Right. Passwd update uses clear text passwords. >>> >>> Anyone has an idea ? >>> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >
Rich Megginson a écrit :> Emmanuel BILLOT wrote: >> Hi, >> >> We''ve installed FDS, AD and a replication agrement. >> FDS data/passwords sync with AD >> AD passwords sync with FDS. >> >> 2 pbs are still unsolved : >> - AD modifications (name, surname, mail) are not send or catched in FDS > I suppose you could enable the replication log level and see why this > is not working. Note that changes may take up to 5 minutes to sync > over to Fedora DS due to the way the sync works using the DirSync > control. > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >> - Passwords are not recognized after a Full init. >> FDS => AD full init = unable to log on AD (even if we manually >> activate the account)Here is the log extract : [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" (porlsvrdc0003:636): No changes to send [26/Mar/2009:09:55:43 +0100] - Calling dirsync search request plugin [26/Mar/2009:09:55:43 +0100] - Sending dirsync search request [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" (porlsvrdc0003:636): Beginning linger on the connection [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" (porlsvrdc0003:636): Linger timeout has expired on the connection [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" (porlsvrdc0003:636): State: sending_updates -> wait_for_changes [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" (porlsvrdc0003:636): Disconnected from the consumer I can''t see any action.> Right. Passwords are not synced during full init. Full init only > uses passwords in the database which are hashed and do not sync. >> FDS -> AD passwd update = passwd ok in AD > Right. Passwd update uses clear text passwords. >> >> Anyone has an idea ? >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >-- =========================================Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d''Information (DSI) tél : 02 38 49 95 88 ==========================================
Emmanuel BILLOT a écrit :> Rich Megginson a écrit : >> Emmanuel BILLOT wrote: >>> Hi, >>> >>> We''ve installed FDS, AD and a replication agrement. >>> FDS data/passwords sync with AD >>> AD passwords sync with FDS. >>> >>> 2 pbs are still unsolved : >>> - AD modifications (name, surname, mail) are not send or catched in FDS >> I suppose you could enable the replication log level and see why this >> is not working. Note that changes may take up to 5 minutes to sync >> over to Fedora DS due to the way the sync works using the DirSync >> control. >> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>> - Passwords are not recognized after a Full init. >>> FDS => AD full init = unable to log on AD (even if we manually >>> activate the account) > Here is the log extract : > [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" > (porlsvrdc0003:636): No changes to send > [26/Mar/2009:09:55:43 +0100] - Calling dirsync search request plugin > [26/Mar/2009:09:55:43 +0100] - Sending dirsync search request > [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" > (porlsvrdc0003:636): Beginning linger on the connection > [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" > (porlsvrdc0003:636): Linger timeout has expired on the connection > [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" > (porlsvrdc0003:636): State: sending_updates -> wait_for_changes > [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" > (porlsvrdc0003:636): Disconnected from the consumer > > I can''t see any action. >> Right. Passwords are not synced during full init. Full init only >> uses passwords in the database which are hashed and do not sync. >>> FDS -> AD passwd update = passwd ok in AD >> Right. Passwd update uses clear text passwords. >>> >>> Anyone has an idea ? >>> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >Ok i found the pb : Replicating directory changes was not in the replicationg user rights. All seems to be ok now. Thanks. BR, -- =========================================Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d''Information (DSI) tél : 02 38 49 95 88 ==========================================
Rich Megginson a écrit :> Emmanuel BILLOT wrote: >> Hi, >> >> We''ve installed FDS, AD and a replication agrement. >> FDS data/passwords sync with AD >> AD passwords sync with FDS. >> >> 2 pbs are still unsolved : >> - AD modifications (name, surname, mail) are not send or catched in FDS > I suppose you could enable the replication log level and see why this > is not working. Note that changes may take up to 5 minutes to sync > over to Fedora DS due to the way the sync works using the DirSync > control. > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >> - Passwords are not recognized after a Full init. >> FDS => AD full init = unable to log on AD (even if we manually >> activate the account) > Right. Passwords are not synced during full init. Full init only > uses passwords in the database which are hashed and do not sync. >> FDS -> AD passwd update = passwd ok in AD > Right. Passwd update uses clear text passwords. >> >> Anyone has an idea ? >> >Ok. Is there any best pratice when adding AD to a FDS ? I don''t think i will ask all users to update their password just for it...?> ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >-- =========================================Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d''Information (DSI) tél : 02 38 49 95 88 ==========================================
Emmanuel BILLOT wrote:> Rich Megginson a écrit : >> Emmanuel BILLOT wrote: >>> Hi, >>> >>> We''ve installed FDS, AD and a replication agrement. >>> FDS data/passwords sync with AD >>> AD passwords sync with FDS. >>> >>> 2 pbs are still unsolved : >>> - AD modifications (name, surname, mail) are not send or catched in FDS >> I suppose you could enable the replication log level and see why this >> is not working. Note that changes may take up to 5 minutes to sync >> over to Fedora DS due to the way the sync works using the DirSync >> control. >> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>> - Passwords are not recognized after a Full init. >>> FDS => AD full init = unable to log on AD (even if we manually >>> activate the account) >> Right. Passwords are not synced during full init. Full init only >> uses passwords in the database which are hashed and do not sync. >>> FDS -> AD passwd update = passwd ok in AD >> Right. Passwd update uses clear text passwords. >>> >>> Anyone has an idea ? >>> >> > Ok. > Is there any best pratice when adding AD to a FDS ? > I don''t think i will ask all users to update their password just for > it...?That''s one of the main problems with Windows Sync/Pass Sync. There is really no way to sync passwords - AD uses an unreversible hash/encryption, and so does Fedora DS. The Samba and freeIPA guys are working on ways to mitigate this situation.>> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >
Rich Megginson a écrit :> Emmanuel BILLOT wrote: >> Rich Megginson a écrit : >>> Emmanuel BILLOT wrote: >>>> Hi, >>>> >>>> We''ve installed FDS, AD and a replication agrement. >>>> FDS data/passwords sync with AD >>>> AD passwords sync with FDS. >>>> >>>> 2 pbs are still unsolved : >>>> - AD modifications (name, surname, mail) are not send or catched in >>>> FDS >>> I suppose you could enable the replication log level and see why >>> this is not working. Note that changes may take up to 5 minutes to >>> sync over to Fedora DS due to the way the sync works using the >>> DirSync control. >>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>>> - Passwords are not recognized after a Full init. >>>> FDS => AD full init = unable to log on AD (even if we manually >>>> activate the account) >>> Right. Passwords are not synced during full init. Full init only >>> uses passwords in the database which are hashed and do not sync. >>>> FDS -> AD passwd update = passwd ok in AD >>> Right. Passwd update uses clear text passwords. >>>> >>>> Anyone has an idea ? >>>> >>> >> Ok. >> Is there any best pratice when adding AD to a FDS ? >> I don''t think i will ask all users to update their password just for >> it...? > That''s one of the main problems with Windows Sync/Pass Sync. There is > really no way to sync passwords - AD uses an unreversible > hash/encryption, and so does Fedora DS. > The Samba and freeIPA guys are working on ways to mitigate this > situation.I had an idea (maybe totally crazy) What happens if for each FDS entry, the password is updated with the same hashed value after init ? Does WinSync requires the cleartext password to work ?>>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >-- =========================================Emmanuel BILLOT IRD - Orléans Délégation aux Systèmes d''Information (DSI) tél : 02 38 49 95 88 ==========================================
Emmanuel BILLOT wrote:> Rich Megginson a écrit : >> Emmanuel BILLOT wrote: >>> Rich Megginson a écrit : >>>> Emmanuel BILLOT wrote: >>>>> Hi, >>>>> >>>>> We''ve installed FDS, AD and a replication agrement. >>>>> FDS data/passwords sync with AD >>>>> AD passwords sync with FDS. >>>>> >>>>> 2 pbs are still unsolved : >>>>> - AD modifications (name, surname, mail) are not send or catched >>>>> in FDS >>>> I suppose you could enable the replication log level and see why >>>> this is not working. Note that changes may take up to 5 minutes to >>>> sync over to Fedora DS due to the way the sync works using the >>>> DirSync control. >>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>>>> - Passwords are not recognized after a Full init. >>>>> FDS => AD full init = unable to log on AD (even if we manually >>>>> activate the account) >>>> Right. Passwords are not synced during full init. Full init only >>>> uses passwords in the database which are hashed and do not sync. >>>>> FDS -> AD passwd update = passwd ok in AD >>>> Right. Passwd update uses clear text passwords. >>>>> >>>>> Anyone has an idea ? >>>>> >>>> >>> Ok. >>> Is there any best pratice when adding AD to a FDS ? >>> I don''t think i will ask all users to update their password just for >>> it...? >> That''s one of the main problems with Windows Sync/Pass Sync. There >> is really no way to sync passwords - AD uses an unreversible >> hash/encryption, and so does Fedora DS. >> The Samba and freeIPA guys are working on ways to mitigate this >> situation. > I had an idea (maybe totally crazy) > What happens if for each FDS entry, the password is updated with the > same hashed value after init ? > Does WinSync requires the cleartext password to work ?WinSync must have access to the clear text password to send it to AD, and vice versa - that''s what passsync does - it intercepts the clear text password modification so that it can send the clear text password to Fedora DS.>>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >