On Wed, Jan 27, 2010 at 5:30 PM, Ldap Tester <ldap.tester at gmail.com> wrote: > I have two 389 servers, one under fedora 12 and one under fedora 11. > They have the following packages: > > 389-admin-1.1.9-1.fc12.x86_64 > 389-admin-console-1.1.4-2.fc12.noarch > 389-admin-console-doc-1.1.4-2.fc12.noarch > 389-adminutil-1.1.8-4.fc12.x86_64 > 389-console-1.1.3-5.fc12.noarch > 389-ds-1.1.3-5.fc12.noarch > 389-ds-base-1.2.5-1.fc12.x86_64 > 389-ds-base-devel-1.2.5-1.fc12.x86_64 > 389-ds-console-1.2.0-5.fc12.noarch > 389-ds-console-doc-1.2.0-5.fc12.noarch > 389-dsgw-1.1.4-1.fc12.x86_64 > > 389-admin-1.1.8-4.fc11.x86_64 > 389-admin-console-1.1.4-1.fc11.noarch > 389-admin-console-doc-1.1.4-1.fc11.noarch > 389-adminutil-1.1.8-3.fc11.x86_64 > 389-console-1.1.3-4.fc11.noarch > 389-ds-1.1.3-4.fc11.noarch > 389-ds-base-1.2.5-1.fc11.x86_64 > 389-ds-base-devel-1.2.5-1.fc11.x86_64 > 389-ds-console-1.2.0-4.fc11.noarch > 389-ds-console-doc-1.2.0-4.fc11.noarch > 389-dsgw-1.1.4-1.fc11.x86_64 > > There are set up as multi masters. > > I also have a windows 2003 Active Directory server. > I have password sync'ing set up between the AD and the fedora 12 389 > server. > > This has been working for several years. > I have recently noticed a problem that may have existed for some time now, > maybe always. > > If I change a user password via windows, everything works as expected. > The password changes on windows and both fedora machines. > If I change a user password via the fedora 12 machine, > the one that has the sync agreement with the windows machine, > again, everything works as expected, > The password changes on windows and both fedora machines. > > However, if I change a user password via the fedora 11 machine, > the one that does not have the sync agreement with the windows machine, > then, the password changes on both fedora machines, > but NOT on the windows machine. > > This is not how it is supposed to work, right? > > I have looked at all sorts of logs, and still have now clue as to the > problem. > (I do not believe it is a fedora 11 versus fedora 12 problem.) > Does anybody have any ideas? > I had the same scenario. Remember that the encrypted passwords are not synchronized with Windows. When you change your password on your F11, it is stored encrypted. Then MMR transmits "userPassword 'encrypted on your F12. Therefore, the password does not synchronize with Windows, since as already mentioned, is encrypted. In my case, I decided to change to a Master / Slave scenario. Thus, your F11 will be to read only and such changes will be forwarded to your F12 (this includes passwd) which will be written. Greetings P.D.: I apologize for my poor English. -- Sergio A. Morales <sergiomorales at archlinux.cl <https://admin.fedoraproject.org/mailman/listinfo/389-users>> uSCI & CSRG Sysadmin Archlinux Chile But I have set pam_password clear in /etc/ldap.conf on both fedora machines. I rely on ssl for security. I had to do this in order to get password syncing with windows to work at all. Shouldn't that take care of the problem you describe above? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20100127/f7568627/attachment.html
