Greetings All, This is a last ditch effort on my part to try to find a solution. I have spent 2 months preparing, testing, and troubleshooting a FDS to AD sync. User accounts sync fine both ways, but unfortunately that part is not what we are truly after. We already have a user account process for creating the accounts in both place, what we are after is password syncing between FDS and MS AD. The Pass Sync utility has been installed on the PDC AD machine, and the service is running, but best we can tell it simply isn''t doing anything. If you change a password in AD, it does not get replicated to FDS. I''m really not sure where to go from here. I was hoping to find a log where passync was writing the changes to be replicated just to see if it was capturing them, but cannot find in the documentation where that exists. I did find the log on the passync directory, but all it shows is the startup of the service. Any help would be greatly appreciated. Sincerely, Doug Tucker SMU
On 09/04/2009 11:59 AM, Doug Tucker wrote:> Greetings All, > > This is a last ditch effort on my part to try to find a solution. I > have spent 2 months preparing, testing, and troubleshooting a FDS to AD > sync. User accounts sync fine both ways, but unfortunately that part is > not what we are truly after. We already have a user account process for > creating the accounts in both place, what we are after is password > syncing between FDS and MS AD. The Pass Sync utility has been installed > on the PDC AD machine, and the service is running, but best we can tell > it simply isn''t doing anything. If you change a password in AD, it does > not get replicated to FDS. I''m really not sure where to go from here. > I was hoping to find a log where passync was writing the changes to be > replicated just to see if it was capturing them, but cannot find in the > documentation where that exists. I did find the log on the passync > directory, but all it shows is the startup of the service. Any help > would be greatly appreciated. >1 - In windows registry-HKLM-Software-PasswordSync, change the "log level" setting from "0" to "1" 2 - Restart the passsync service 3 - look for passsync.log under C:\Program Files\*Password Synchronization\ --Chandra> Sincerely, > > Doug Tucker > SMU > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
On 09/04/2009 03:54 PM, Chandrasekar Kannan wrote:> On 09/04/2009 11:59 AM, Doug Tucker wrote: >> Greetings All, >> >> This is a last ditch effort on my part to try to find a solution. I >> have spent 2 months preparing, testing, and troubleshooting a FDS to AD >> sync. User accounts sync fine both ways, but unfortunately that part is >> not what we are truly after. We already have a user account process for >> creating the accounts in both place, what we are after is password >> syncing between FDS and MS AD. The Pass Sync utility has been installed >> on the PDC AD machine, and the service is running, but best we can tell >> it simply isn''t doing anything. If you change a password in AD, it does >> not get replicated to FDS. I''m really not sure where to go from here. >> I was hoping to find a log where passync was writing the changes to be >> replicated just to see if it was capturing them, but cannot find in the >> documentation where that exists.documented here - http://directory.fedoraproject.org/wiki/Howto:WindowsSync#PassSync_Logging>> I did find the log on the passync >> directory, but all it shows is the startup of the service. Any help >> would be greatly appreciated. > > 1 - In windows registry-HKLM-Software-PasswordSync, > change the "log level" setting from "0" to "1" > > 2 - Restart the passsync service > > 3 - look for passsync.log under C:\Program Files\*Password > Synchronization\ > > > --Chandra > > > >> Sincerely, >> >> Doug Tucker >> SMU >> >> -- >> 389 users mailing list >> 389-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >> would be greatly appreciated. > > > > 1 - In windows registry-HKLM-Software-PasswordSync, > > change the "log level" setting from "0" to "1" > > > > 2 - Restart the passsync service > > > > 3 - look for passsync.log under C:\Program Files\*Password > > Synchronization\ > > > > > > --Chandra > >Thanks, I''ll ask the windows guy to set this. I haven''t seen anything about this, but merely thinking. If the passync service is installed on the PDC host, if a windows user changes their password, but are connected to the BDC when they do so, will passync still catch the change?
It should. The BDC will replicate the change to the PDC and that should register as a password change to PassSync and that will then replicate the change to the 389 server. I have PassSync running in our environment and have had users change their password from the office which is running a secondary DC and the change gets reflected in the 389 system within <5 minutes of the AD replication. ---- Jeff Moody Senior Systems Engineer EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.moody@evscorporation.com -----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Doug Tucker Sent: Tuesday, September 08, 2009 9:05 AM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Pass Sync Doesn''t Work> >> would be greatly appreciated. > > > > 1 - In windows registry-HKLM-Software-PasswordSync, > > change the "log level" setting from "0" to "1" > > > > 2 - Restart the passsync service > > > > 3 - look for passsync.log under C:\Program Files\*Password > > Synchronization\ > > > > > > --Chandra > >Thanks, I''ll ask the windows guy to set this. I haven''t seen anything about this, but merely thinking. If the passync service is installed on the PDC host, if a windows user changes their password, but are connected to the BDC when they do so, will passync still catch the change? -- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > -----Original Message----- > From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Doug Tucker > Sent: Tuesday, September 08, 2009 9:05 AM > To: General discussion list for the 389 Directory server project. > Subject: Re: [389-users] Pass Sync Doesn''t Work > > > > >> would be greatly appreciated. > > > > > > 1 - In windows registry-HKLM-Software-PasswordSync, > > > change the "log level" setting from "0" to "1" > > > > > > 2 - Restart the passsync service > > > > > > 3 - look for passsync.log under C:\Program Files\*Password > > > Synchronization\ > > > > > > > > > --Chandra > > > > Thanks, I''ll ask the windows guy to set this. I haven''t seen anything > about this, but merely thinking. If the passync service is installed on > the PDC host, if a windows user changes their password, but are > connected to the BDC when they do so, will passync still catch the > change?OK! The logging was a tremendous help to at least seeing where the failure is. When the password change is made on the PDC, passync DOES catch it and replicate to 389. However, if the password change occurs on the BDC, even though we see the change replicated to the PDC, passync is NOT catching it and replicating to 389. Does anyone have any ideas?
On 09/08/2009 09:14 AM, Doug Tucker wrote:> >> -----Original Message----- >> From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Doug Tucker >> Sent: Tuesday, September 08, 2009 9:05 AM >> To: General discussion list for the 389 Directory server project. >> Subject: Re: [389-users] Pass Sync Doesn''t Work >> >> >> >>>>> would be greatly appreciated. >>>>> >>>> 1 - In windows registry-HKLM-Software-PasswordSync, >>>> change the "log level" setting from "0" to "1" >>>> >>>> 2 - Restart the passsync service >>>> >>>> 3 - look for passsync.log under C:\Program Files\*Password >>>> Synchronization\ >>>> >>>> >>>> --Chandra >>>> >>>> >> Thanks, I''ll ask the windows guy to set this. I haven''t seen anything >> about this, but merely thinking. If the passync service is installed on >> the PDC host, if a windows user changes their password, but are >> connected to the BDC when they do so, will passync still catch the >> change? >> > OK! The logging was a tremendous help to at least seeing where the > failure is. When the password change is made on the PDC, passync DOES > catch it and replicate to 389. However, if the password change occurs > on the BDC, even though we see the change replicated to the PDC, passync > is NOT catching it and replicating to 389. Does anyone have any ideas? >I believe The Password Sync Service must be installed on every Active Directory domain controller.> -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
> > OK! The logging was a tremendous help to at least seeing where the > > failure is. When the password change is made on the PDC, passync DOES > > catch it and replicate to 389. However, if the password change occurs > > on the BDC, even though we see the change replicated to the PDC, passync > > is NOT catching it and replicating to 389. Does anyone have any ideas? > > > > I believe The Password Sync Service must be installed on every Active > Directory domain controller.It appeared that way for no other reason than it wasn''t working, but I can''t find anything in the documentation to indicate that, and someone else that responded indicated he sees the change after the BDC replicates it to the PDC. Was just hoping for some official word that states that this must be done. Sincerely, Doug
On Tue, 08 Sep 2009, Doug Tucker wrote:> > > > OK! The logging was a tremendous help to at least seeing where the > > > failure is. When the password change is made on the PDC, passync DOES > > > catch it and replicate to 389. However, if the password change occurs > > > on the BDC, even though we see the change replicated to the PDC, passync > > > is NOT catching it and replicating to 389. Does anyone have any ideas? > > > > > > > I believe The Password Sync Service must be installed on every Active > > Directory domain controller. > > It appeared that way for no other reason than it wasn''t working, but I > can''t find anything in the documentation to indicate that, and someone > else that responded indicated he sees the change after the BDC > replicates it to the PDC. Was just hoping for some official word that > states that this must be done.I''m not seeing anything in the docs either, but it would make sense, since I''m relatively sure that when the password syncs from one Active Directory replica to another (no such thing as PDCs and BDCs these days, y''know), I''d assume it''s passing the hash and not the password, so there''d be no way to get it into your LDAP server. If that''s the case (and I''m pretty sure it is), you''d need PassSync set up on all of your Active Directory servers, since any of them could be the one the user gave the actual password to.
On 09/08/2009 01:04 PM, Morris, Patrick wrote:> On Tue, 08 Sep 2009, Doug Tucker wrote: > > >> >>>> OK! The logging was a tremendous help to at least seeing where the >>>> failure is. When the password change is made on the PDC, passync DOES >>>> catch it and replicate to 389. However, if the password change occurs >>>> on the BDC, even though we see the change replicated to the PDC, passync >>>> is NOT catching it and replicating to 389. Does anyone have any ideas? >>>> >>>> >>> I believe The Password Sync Service must be installed on every Active >>> Directory domain controller. >>> >> It appeared that way for no other reason than it wasn''t working, but I >> can''t find anything in the documentation to indicate that, and someone >> else that responded indicated he sees the change after the BDC >> replicates it to the PDC. Was just hoping for some official word that >> states that this must be done. >> > I''m not seeing anything in the docs either,which docs are you referring to ? Have a url ?.> but it would make sense, > since I''m relatively sure that when the password syncs from one Active > Directory replica to another (no such thing as PDCs and BDCs these days, > y''know), I''d assume it''s passing the hash and not the password, so > there''d be no way to get it into your LDAP server. > > If that''s the case (and I''m pretty sure it is), you''d need PassSync set > up on all of your Active Directory servers, since any of them could be > the one the user gave the actual password to. > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
On Tue, 2009-09-08 at 16:08 -0700, Chandrasekar Kannan wrote:> On 09/08/2009 01:04 PM, Morris, Patrick wrote: > > On Tue, 08 Sep 2009, Doug Tucker wrote: > > > > > >> > >>>> OK! The logging was a tremendous help to at least seeing where the > >>>> failure is. When the password change is made on the PDC, passync DOES > >>>> catch it and replicate to 389. However, if the password change occurs > >>>> on the BDC, even though we see the change replicated to the PDC, passync > >>>> is NOT catching it and replicating to 389. Does anyone have any ideas? > >>>> > >>>> > >>> I believe The Password Sync Service must be installed on every Active > >>> Directory domain controller. > >>> > >> It appeared that way for no other reason than it wasn''t working, but I > >> can''t find anything in the documentation to indicate that, and someone > >> else that responded indicated he sees the change after the BDC > >> replicates it to the PDC. Was just hoping for some official word that > >> states that this must be done. > >> > > I''m not seeing anything in the docs either, > > which docs are you referring to ? Have a url ?. >http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html This is what I have been using for how to set this up. I cannot find any reference to the need to install passync on all of the controllers in the domain, it only references the primary. And according to our windows guy here, MS changed terminology, but there is definitely a primary and then the others are bdc''s. I agreed that from just a thinking perspective it would have to be done, but then someone in this thread earlier indicated that changes made to his bdc were synced to 389 after it replicated to the pdc, which kinda left me in limbo that I may still have something wrong, and before I have the windows guy start installing it everywhere, I wanted to hear from someone truly "in the know" of what needed to be done.
On 09/09/2009 06:59 AM, Doug Tucker wrote:> On Tue, 2009-09-08 at 16:08 -0700, Chandrasekar Kannan wrote: > >> On 09/08/2009 01:04 PM, Morris, Patrick wrote: >> >>> On Tue, 08 Sep 2009, Doug Tucker wrote: >>> >>> >>> >>>> >>>> >>>>>> OK! The logging was a tremendous help to at least seeing where the >>>>>> failure is. When the password change is made on the PDC, passync DOES >>>>>> catch it and replicate to 389. However, if the password change occurs >>>>>> on the BDC, even though we see the change replicated to the PDC, passync >>>>>> is NOT catching it and replicating to 389. Does anyone have any ideas? >>>>>> >>>>>> >>>>>> >>>>> I believe The Password Sync Service must be installed on every Active >>>>> Directory domain controller. >>>>> >>>>> >>>> It appeared that way for no other reason than it wasn''t working, but I >>>> can''t find anything in the documentation to indicate that, and someone >>>> else that responded indicated he sees the change after the BDC >>>> replicates it to the PDC. Was just hoping for some official word that >>>> states that this must be done. >>>> >>>> >>> I''m not seeing anything in the docs either, >>> >> which docs are you referring to ? Have a url ?. >> >> > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html >updated url http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html#Windows_Sync-About_Windows_Sync has a reference to that ... "The Password Sync Service must be installed on every Active Directory domain controller" hope that helps...> This is what I have been using for how to set this up. I cannot find > any reference to the need to install passync on all of the controllers > in the domain, it only references the primary. And according to our > windows guy here, MS changed terminology, but there is definitely a > primary and then the others are bdc''s. > > I agreed that from just a thinking perspective it would have to be done, > but then someone in this thread earlier indicated that changes made to > his bdc were synced to 389 after it replicated to the pdc, which kinda > left me in limbo that I may still have something wrong, and before I > have the windows guy start installing it everywhere, I wanted to hear > from someone truly "in the know" of what needed to be done. > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >