Fedora directory users - Jul 2009 - [389-users] Password sync

Hello,

I have a Network with two Windows 2000 server , I suppose one is master 
(or  primary) and one is secondary - I don''t know exactly the
vocabulary
of Windows. the AD is "replicated" over the two Windows Server

I installed synchronization between the FDS server and the AD on a host 
(say Windows-1 server), with Agreement replication
then I installed the password sync on the Windows-1 host.
All is ok when the password is changed on the Windows-1 server, the 
password is synchronized to the FDS.

Now when a user change his password on a windows XP station in the AD 
(the operation is CTRL+ALT+DEL then change password)  the password is 
not necessary sync to the FDS.
my hypothesis : it seems it depends  on which windows server the 
password has been changed. Some time the password is sync when, I 
suppose, the Windows1 server answer to the request to change the 
password, but when the windows2 server answer , then the password is not 
sync.

is my hypothesis correct ?
Can I install the password sync programm on the other Windows2 server 
even if the replicated agreement is beetween FDS and Windows1 server ? 
wich will behavior be ?

thanks

-- 
Jean-Noel Chardron

hello,

jean-Noël Chardron a écrit :
> Hello,
>
> I have a Network with two Windows 2000 server , I suppose one is 
> master (or  primary) and one is secondary - I don''t know exactly
the
> vocabulary of Windows. the AD is "replicated" over the two
Windows Server
>
> I installed synchronization between the FDS server and the AD on a 
> host (say Windows-1 server), with Agreement replication
> then I installed the password sync on the Windows-1 host.
> All is ok when the password is changed on the Windows-1 server, the 
> password is synchronized to the FDS.
>
> Now when a user change his password on a windows XP station in the AD 
> (the operation is CTRL+ALT+DEL then change password)  the password is 
> not necessary sync to the FDS.
> my hypothesis : it seems it depends  on which windows server the 
> password has been changed. Some time the password is sync when, I 
> suppose, the Windows1 server answer to the request to change the 
> password, but when the windows2 server answer , then the password is 
> not sync.
>
> is my hypothesis correct ?
Yes, it is correct.
Password is captured in clear by passsync service into the AD server 
witch is used by workstation for changing password operation.
Master AD server give password to slave servers in no-clear mode and 
crypted password can not be captured by passsync service.

> Can I install the password sync programm on the other Windows2 server 
> even if the replicated agreement is beetween FDS and Windows1 server ? 
> wich will behavior be ?
No, you can''t.

In the AD-FDS synchronization architecture, only one synchronization is 
allowed.
If you install two passsync services into two AD servers you take risks 
to create problems in replication.

cf : http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html
"WARNING : There can only be a single sync agreement between the 
Directory Server environment and the Active Directory environment. 
Multiple sync agreements to the same Active Directory domain can create 
entry conflicts."

This is the point of failure of the FDS/windows sync architecture.


regards

-- 
* Hugo Étiévant *
*INRP/SCI*

Hugo Etievant wrote:
> Password is captured in clear by passsync service into the AD server
> witch is used by workstation for changing password operation.
Out of curiousity: What happens if the passsync service cannot reach the
FDS via LDAP because of network problems? Is the password synch LDAP
modify operation synchronous or is there kind of a queue implemented?

Ciao, Michael.

Michael Ströder a écrit :
> Hugo Etievant wrote:
>   
>> Password is captured in clear by passsync service into the AD server
>> witch is used by workstation for changing password operation.
>>     
>
> Out of curiousity: What happens if the passsync service cannot reach the
> FDS via LDAP because of network problems? Is the password synch LDAP
> modify operation synchronous or is there kind of a queue implemented?
>   

log file of passsync service show that password change is deferring for 
each user in case of network problem or bad access right to LDAP, 
constraint violation, etc... until change is abandonned

sample :
01/21/09 15:35:33 Deferring password change for xxx
01/21/09 15:36:12 Deferring password change for xxx
01/21/09 15:37:29 Deferring password change for xxx
[...]
01/21/09 15:39:47 Abandoning password change for xxx backoff expired




-- 
* Hugo Étiévant *
**INRP/SCI

Hugo Etievant a écrit :
> hello,
>
> jean-Noël Chardron a écrit :
>> Hello,
>>
>> I have a Network with two Windows 2000 server , I suppose one is 
>> master (or  primary) and one is secondary - I don''t know
exactly the
>> vocabulary of Windows. the AD is "replicated" over the two
Windows
>> Server
>>
>> I installed synchronization between the FDS server and the AD on a 
>> host (say Windows-1 server), with Agreement replication
>> then I installed the password sync on the Windows-1 host.
>> All is ok when the password is changed on the Windows-1 server, the 
>> password is synchronized to the FDS.
>>
>> Now when a user change his password on a windows XP station in the AD 
>> (the operation is CTRL+ALT+DEL then change password)  the password is 
>> not necessary sync to the FDS.
>> my hypothesis : it seems it depends  on which windows server the 
>> password has been changed. Some time the password is sync when, I 
>> suppose, the Windows1 server answer to the request to change the 
>> password, but when the windows2 server answer , then the password is 
>> not sync.
>>
>> is my hypothesis correct ?
> Yes, it is correct.
> Password is captured in clear by passsync service into the AD server 
> witch is used by workstation for changing password operation.
> Master AD server give password to slave servers in no-clear mode and 
> crypted password can not be captured by passsync service.
>
>
>> Can I install the password sync programm on the other Windows2 server 
>> even if the replicated agreement is beetween FDS and Windows1 server 
>> ? wich will behavior be ?
> No, you can''t.
>
> In the AD-FDS synchronization architecture, only one synchronization 
> is allowed.
> If you install two passsync services into two AD servers you take 
> risks to create problems in replication.
>
> cf : 
> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html
> "WARNING : There can only be a single sync agreement between the 
> Directory Server environment and the Active Directory environment. 
> Multiple sync agreements to the same Active Directory domain can 
> create entry conflicts."
>
> This is the point of failure of the FDS/windows sync architecture.
>
>
thank you for your reply
However by looking in the documentation PDF I found this:
9.2.4. Step 4: Install the Password Sync Service
Password Sync can be installed on every domain controller in the Active 
Directory domain in order to
synchronize Windows passwords.
I do not know how to interpret the above
So I installed a second passSync.msi on the slave windows2 server
> regards
>

-- 
Jean-Noel Chardron
Délégation CNRS Aquitaine et Limousin
Service du Traitement de l''Information
Avenue des Arts et métiers
BP 105
33402 TALENCE - FRANCE
tél : (33) 5.57.35.58.41
fax : (33) 5.57.35.58.01
MSN : jnc@dr15.cnrs.fr

jean-Noël Chardron wrote:
> Hugo Etievant a écrit :
>> hello,
>>
>> jean-Noël Chardron a écrit :
>>> Hello,
>>>
>>> I have a Network with two Windows 2000 server , I suppose one is 
>>> master (or  primary) and one is secondary - I don''t know
exactly the
>>> vocabulary of Windows. the AD is "replicated" over the
two Windows
>>> Server
>>>
>>> I installed synchronization between the FDS server and the AD on a 
>>> host (say Windows-1 server), with Agreement replication
>>> then I installed the password sync on the Windows-1 host.
>>> All is ok when the password is changed on the Windows-1 server, the
>>> password is synchronized to the FDS.
>>>
>>> Now when a user change his password on a windows XP station in the 
>>> AD (the operation is CTRL+ALT+DEL then change password)  the 
>>> password is not necessary sync to the FDS.
>>> my hypothesis : it seems it depends  on which windows server the 
>>> password has been changed. Some time the password is sync when, I 
>>> suppose, the Windows1 server answer to the request to change the 
>>> password, but when the windows2 server answer , then the password
is
>>> not sync.
>>>
>>> is my hypothesis correct ?
>> Yes, it is correct.
>> Password is captured in clear by passsync service into the AD server 
>> witch is used by workstation for changing password operation.
>> Master AD server give password to slave servers in no-clear mode and 
>> crypted password can not be captured by passsync service.
>>
>>
>>> Can I install the password sync programm on the other Windows2 
>>> server even if the replicated agreement is beetween FDS and
Windows1
>>> server ? wich will behavior be ?
>> No, you can''t.
>>
>> In the AD-FDS synchronization architecture, only one synchronization 
>> is allowed.
>> If you install two passsync services into two AD servers you take 
>> risks to create problems in replication.
>>
>> cf : 
>> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html
>> "WARNING : There can only be a single sync agreement between the 
>> Directory Server environment and the Active Directory environment. 
>> Multiple sync agreements to the same Active Directory domain can 
>> create entry conflicts."
>>
>> This is the point of failure of the FDS/windows sync architecture.
>>
>>
> thank you for your reply
> However by looking in the documentation PDF I found this:
> 9.2.4. Step 4: Install the Password Sync Service
> Password Sync can be installed on every domain controller in the 
> Active Directory domain in order to
> synchronize Windows passwords.
> I do not know how to interpret the above
> So I installed a second passSync.msi on the slave windows2 server
Windows sync (the part that goes from DS to AD) is single master - but 
password changes are the exception to this - in fact you must install 
PassSync.msi on every AD domain controller to get all of the password 
changes.
>
>> regards
>>
>
>

Michael Ströder wrote:
> Hugo Etievant wrote:
>   
>> Password is captured in clear by passsync service into the AD server
>> witch is used by workstation for changing password operation.
>>     
>
> Out of curiousity: What happens if the passsync service cannot reach the
> FDS via LDAP because of network problems? Is the password synch LDAP
> modify operation synchronous or is there kind of a queue implemented?
>   
The password change operations are queued.
> Ciao, Michael.
>
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Hugo Etievant wrote:
> Michael Ströder a écrit :
>> Hugo Etievant wrote:
>>  
>>> Password is captured in clear by passsync service into the AD
server
>>> witch is used by workstation for changing password operation.
>>>     
>>
>> Out of curiousity: What happens if the passsync service cannot reach
the
>> FDS via LDAP because of network problems? Is the password synch LDAP
>> modify operation synchronous or is there kind of a queue implemented?
>>   
>
>
> log file of passsync service show that password change is deferring 
> for each user in case of network problem or bad access right to LDAP, 
> constraint violation, etc... until change is abandonned
>
> sample :
> 01/21/09 15:35:33 Deferring password change for xxx
> 01/21/09 15:36:12 Deferring password change for xxx
> 01/21/09 15:37:29 Deferring password change for xxx
> [...]
> 01/21/09 15:39:47 Abandoning password change for xxx backoff expired
Check the access log and errors log for the directory server to see if 
you can figure out why the password change was not accepted, if not a 
network problem.

Rich Megginson a écrit :
> jean-Noël Chardron wrote:
>> Hugo Etievant a écrit :
>>> hello,
>>>
>>> jean-Noël Chardron a écrit :
>>>> Hello,
>>>>
>>>> I have a Network with two Windows 2000 server , I suppose one
is
>>>> master (or  primary) and one is secondary - I don''t
know exactly
>>>> the vocabulary of Windows. the AD is "replicated"
over the two
>>>> Windows Server
>>>>
>>>> I installed synchronization between the FDS server and the AD
on a
>>>> host (say Windows-1 server), with Agreement replication
>>>> then I installed the password sync on the Windows-1 host.
>>>> All is ok when the password is changed on the Windows-1 server,
the
>>>> password is synchronized to the FDS.
>>>>
>>>> Now when a user change his password on a windows XP station in
the
>>>> AD (the operation is CTRL+ALT+DEL then change password)  the 
>>>> password is not necessary sync to the FDS.
>>>> my hypothesis : it seems it depends  on which windows server
the
>>>> password has been changed. Some time the password is sync when,
I
>>>> suppose, the Windows1 server answer to the request to change
the
>>>> password, but when the windows2 server answer , then the
password
>>>> is not sync.
>>>>
>>>> is my hypothesis correct ?
>>> Yes, it is correct.
>>> Password is captured in clear by passsync service into the AD
server
>>> witch is used by workstation for changing password operation.
>>> Master AD server give password to slave servers in no-clear mode
and
>>> crypted password can not be captured by passsync service.
>>>
>>>
>>>> Can I install the password sync programm on the other Windows2 
>>>> server even if the replicated agreement is beetween FDS and 
>>>> Windows1 server ? wich will behavior be ?
>>> No, you can''t.
>>>
>>> In the AD-FDS synchronization architecture, only one
synchronization
>>> is allowed.
>>> If you install two passsync services into two AD servers you take 
>>> risks to create problems in replication.
>>>
>>> cf : 
>>>
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html
>>> "WARNING : There can only be a single sync agreement between
the
>>> Directory Server environment and the Active Directory environment. 
>>> Multiple sync agreements to the same Active Directory domain can 
>>> create entry conflicts."
>>>
>>> This is the point of failure of the FDS/windows sync architecture.
>>>
>>>
>> thank you for your reply
>> However by looking in the documentation PDF I found this:
>> 9.2.4. Step 4: Install the Password Sync Service
>> Password Sync can be installed on every domain controller in the 
>> Active Directory domain in order to
>> synchronize Windows passwords.
>> I do not know how to interpret the above
>> So I installed a second passSync.msi on the slave windows2 server
> Windows sync (the part that goes from DS to AD) is single master - but 
> password changes are the exception to this - in fact you must install 
> PassSync.msi on every AD domain controller to get all of the password 
> changes.
Ok thanks,
perhaps an update of the documentation will be welcome. Because for me 
it was not obvious to have to install on all the windows domain server.  
I installed the PassSync.msi just on the master Windows server.  so the 
FDS has missed many updates passwords.
>>
>>> regards
>>>
>>
>>
>
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-- 
Jean-Noel Chardron