#4837 Password does not sync
Closed: Fixed None Opened 5 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1181093

Description of problem:
Password of AD user is not syncing to IPA

Version-Release number of selected component (if applicable):
[root@sideswipe ~]# rpm -q ipa-server 389-ds-base
ipa-server-4.1.0-13.el7.x86_64
389-ds-base-1.3.3.1-11.el7.x86_64


How reproducible:


Steps to Reproduce:
1. Install IPA
2. Create winsync agreement
3. Add new user on AD and set password
4. Reset password of existing user
5. Passwords in above cases should sync on IPA server

Actual results:
[root@sideswipe ~]# hostname
sideswipe.ipasync.test

[root@sideswipe ~]# ipa user-show aduser1
  User login: aduser1
  First name: ads
  Last name: user
  Home directory: /home/aduser1
  Login shell: /bin/sh
  Email address: aduser1@testrelm.test
  UID: 184400014
  GID: 184400014
  Telephone Number: 66778839
  Account disabled: False
  Password: False
  Kerberos keys available: False

Logs on resetting password on AD

01/12/15 16:38:50: Received passhook event.  Attempting sync
01/12/15 16:38:50: 1 new entries loaded from data file
01/12/15 16:38:50: Cleared contents of data file
01/12/15 16:38:50: Password list has 2 entries
01/12/15 16:38:51: Attempting to sync password for frank
01/12/15 16:38:51: Searching for (ntuserdomainid=frank)
01/12/15 16:38:51: There are no entries that match: frank
01/12/15 16:38:51: Deferring password change for frank
01/12/15 16:38:51: Attempting to sync password for aduser1
01/12/15 16:38:51: Searching for (ntuserdomainid=aduser1)
01/12/15 16:38:51: There are no entries that match: aduser1
01/12/15 16:38:51: Deferring password change for aduser1
01/12/15 16:38:51: Backing off for 2000ms
01/12/15 16:38:53: Backoff time expired.  Attempting sync
01/12/15 16:38:53: Password list has 2 entries
01/12/15 16:38:53: Attempting to sync password for frank
01/12/15 16:38:53: Searching for (ntuserdomainid=frank)
01/12/15 16:38:53: There are no entries that match: frank
01/12/15 16:38:53: Deferring password change for frank
01/12/15 16:38:53: Attempting to sync password for aduser1
01/12/15 16:38:53: Searching for (ntuserdomainid=aduser1)
01/12/15 16:38:53: There are no entries that match: aduser1
01/12/15 16:38:53: Deferring password change for aduser1
01/12/15 16:38:53: Backing off for 4000ms
01/12/15 16:38:57: Backoff time expired.  Attempting sync
01/12/15 16:38:57: Password list has 2 entries
01/12/15 16:38:57: Attempting to sync password for frank
01/12/15 16:38:57: Searching for (ntuserdomainid=frank)
01/12/15 16:38:57: There are no entries that match: frank
01/12/15 16:38:57: Deferring password change for frank
01/12/15 16:38:57: Attempting to sync password for aduser1
01/12/15 16:38:57: Searching for (ntuserdomainid=aduser1)
01/12/15 16:38:57: There are no entries that match: aduser1
01/12/15 16:38:57: Deferring password change for aduser1
01/12/15 16:38:57: Backing off for 8000ms


Expected results:
Passwords must sync on IPA server

Additional info:

Patch freeipa-mkosek-489-allow-replication-administrators-to-manipulate-winsy.patch sent for review

This is a regression and needs to addressed in 4.0.x.

Testing Instructions

Either test with PassSync software directly or verify that passsync system user can see NT attribute and change user passwords:

# ldapsearch -D "uid=passsync,cn=sysaccounts,cn=etc,dc=mkosek-f21,dc=test" -x
-w Secret123 -b cn=users,cn=accounts,dc=mkosek-f21,dc=test
"(ntuserdomainid=testuser)" ntuserdomainid
# extended LDIF
#
# LDAPv3
# base <cn=users,cn=accounts,dc=mkosek-f21,dc=test> with scope subtree
# filter: (ntuserdomainid=testuser)
# requesting: ntuserdomainid
#

# testuser, users, accounts, mkosek-f21.test
dn: uid=testuser,cn=users,cn=accounts,dc=mkosek-f21,dc=test
ntuserdomainid: testuser

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


# ldappasswd -D "uid=passsync,cn=sysaccounts,cn=etc,dc=mkosek-f21,dc=test" -x
-w Secret123 uid=testuser,cn=users,cn=accounts,dc=mkosek-f21,dc=test -s newPassword
[root@ipa ~]# echo $?
0

Moving to 4.0 - patch conflicts in 4.0 and is not critical enough to be adding this branch, given 4.1 is officially supported.

master:

  • 6652c4e Allow PassSync user to locate and update NT users

ipa-4-1:

  • 282d1ec Allow PassSync user to locate and update NT users

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 4.1.3

3 years ago

Login to comment on this ticket.

Metadata