Re: Winsync Problem with NT4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hartmut Wöhrle wrote:


Hell Elliot,

Am Dienstag, 29. November 2005 21:27 schrieb Elliot Schlegelmilch:

I'm a bit confused now. Which password, or which actual?  You can
ldapsearch using the uid=admin,ou=system account and correct password.
"correct password" thats exactly my problem. I think when setting up the system I did something wrong, because the answer is "Invalid Credentials (49)" which means wrong password. Therefore I can not connect, not search, and not modify anything.... so what to do? Uninstall and start from scratch? 


ldapsearch works, but (as you can see below) my bind password is wrong
(or I can't remember.... :) )

I would suggest opening up your c:\program files\fedora directory
synchronization\conf\usersync.conf in your favorite editor, and see what
password is in it. Try binding as that user. While looking inside that
file look for the 'server.db.partition.suffix.usersync field.
While trying to install I changed this password and now it doesn't fit - or maybe I am too stupid because I can not remember. 
Then, with this password and base, try another search.

ldapsearch -v -h 192.168.1.218 -D  "uid=admin,ou=system" -w pw -b
"dc=home,dc=org" "(objectclass=*)

I'm just guessing the base, but I assume it's something very similar.

You should see something similar to this:
# Guest, users, example.com
dn: sAMAccountName=Guest,cn=users,dc=example,dc=com
memberOf: sAMAccountName=Domain Guests,cn=users,dc=example,dc=com
lastLogon: 0
objectGUID: 0105000000000005150000003D725165EB1AB15BC9504D49F5010000
countryCode: 0


Ok, so now I know what should com out - good.


Once you can access your PDC from LDAP, there's a lot better chance that
your Fedora Directory Server will be able to for replication.
Exactly thats why I switched to the ldapsearch, because it tells me much more at the output as the logfile from Replication Log. 


Btw... It would be nice to find a schema (written or drawn) which tells
me (or everyone) how winsync and passwordsync works. The Pictures in the
manuals tell me the way which way the servers exchange informations, but
within the PDC (or AD) I don't know anything - it is a black box.
And .... I didn't find the sources to check by myself - is it closed
source?

It's not closed source.
http://directory.fedora.redhat.com/wiki/Building#Pulling_the_Directory_Serv
er_Source

The Directory Server yes.
But I don't see (maybe I'm blind) the sources for the ApacheDS at the PDC (Java based) and the sources for winsync software, which comes as a .msi (Microsoft Installer) File. 
So is this opensource? And where to find it?

The ApacheDS source is available at http://directory.apache.org/
The source for the winsync software is in the same source tree as the Directory Server. The PassSync.msi source is in the ldapserver/ldap/synctools directory. The ntds.msi source is in the ldapserver/ldap/servers/ntds directory. 


And I think the manual is a little bit too small for the NT Winsync.
With AD it is OK, because you use the LDAP Funktion of the AD and synchronise like a replica - more or less. 
But what exactly happens at the NT PDC???
I learned from this forum that winsync installs an ApacheDS as LDAP Server to connect with. OK what next. How does the ApacheDS connect to the PDC. Which user is used for the login - if any? 
Does it work like this:
FDS --> ApacheDS (uid=admin,ou=system) --> NT PDC (user=?)
or FDS --> ApacheDS (uid=admin,ou=system) --> NT PDC (user=admin)
My understanding is that the ApacheDS just serves up an LDAP representation of NTs SAM database. It can access this since it is running as Administrator.
And you need the replication manager (with the acl's to add, modify and delete a user) at the FDS side for the synchronization? So this works like this (push) NT PDC (user=?) --> ApacheDS (uid=admin,ou=system) --> FDS (uid=replmanager,out=users) 
And how does he know which user at hte FDS to use
Or like this (Pull)
FDS --> ApacheDS (uid=admin,ou=system) --> NT PDC (user=?)

FDS pulls the data from ApacheDS.
And how does it work, when I use the Password sync? Is there a layer inbetween windows admintool and PDC that reads the input and sends it to the FDS before handing it to the PDC Directory - but for this it needs an account with administrative rights, which one?
The Windows LSA (local security authority) hands password changes off to PassSync. The PassSync service then attempts to push this password change to FDS. You need to setup a user on the FDS side that has permission to update the userPassword attribute for your user entries. It doesn't matter which user as long as they have the proper rights. 

-NGK


You see there are many questions with this challenging tool.

See U
Hartmut

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux