Re: PassSync only working one way

[Ulf Weltman <ulf.weltman@xxxxxx>]

UnicodePwd has to be little-endian unicode and with quotes around it.  
You can do something like...

echo \"Secret12\" > pass.txt
iconv -t UNICODELITTLE -o unicodepass.txt pass.txt

And then base64 encode unicodepass.txt and use the result for unicodePwd 
value.

I got the details from http://support.microsoft.com/?kbid=269190 originally.

Ulf

Jeff Gamsby wrote:

> Correct. It was not enabled when I first installed and configured 
> PassSync. I tried to use ldapmodify to change the password, but that 
> didn't work either.
>
> To use ldapmodify, do I change UnicodePwd?
>
> How do I generate UnicodePwd?
>
> dn: cn=user,cn=users,dc=ad,dc=server,dc=com
> changetype: modify
> replace: unicodepwd
> unicodepwd:
>
> Thanks
> Jeff
>
>
> Nathan Kinder wrote:
>
> > Jeff Gamsby wrote:
> >
> > > Thanks for responding.
> > > I have windows 2000, the default password policy is disabled by 
> > > default, but I did turn it on to see if that was the problem and 
> > > also tried more complex passwords when testing. Nothing has worked 
> > > so far. I'm not even sure if there is any other tests that I can do, 
> > > I've turned up the logging, but it still doesn't give me any clues 
> > > as to what is going on.
> >
> > Are you saying that you enabled Active Directorys password complexity 
> > option?  I'm pretty sure that is required for passwords to sync from 
> > FDS -> AD.  You could also attempt to use ldapmodify against AD to 
> > remotely change a users password over SSL as a test.
> >
> > It sounds like everything with the PassSync service is fine since 
> > passwords are working from AD -> FDS.
> >
> > -NGK
> >
> > > Thanks,
> > > Jeff
> > >
> > > nattapon viroonsri wrote:
> > >
> > > > When i add user or change password at fds side , it stuck with 
> > > > windows (2003)  default password policy.
> > > > So i  have to chage to more strict password or disable policy at ads ,
> > > > then fds  sync with ads completely.( can log on to ads with same 
> > > > password as fds user)
> > > >
> > > > im not sure this is  same case as you.
> > > >
> > > > Regards,
> > > > Nattapon
> > > >
> > > >
> > > > > From: Jeff Gamsby <JFGamsby@xxxxxxx>
> > > > > Reply-To: "General discussion list for the Fedora Directory server 
> > > > > project." <fedora-directory-users@xxxxxxxxxx>
> > > > > To: "General discussion list for the Fedora Directory server 
> > > > > project." <fedora-directory-users@xxxxxxxxxx>
> > > > > Subject:  PassSync only working one way
> > > > > Date: Tue, 13 Jun 2006 15:08:03 -0700
> > > > > MIME-Version: 1.0
> > > > > Received: from hormel.redhat.com ([209.132.177.30]) by 
> > > > > bay0-mc4-f5.bay0.hotmail.com with Microsoft 
> > > > > SMTPSVC(6.0.3790.2444); Tue, 13 Jun 2006 15:08:15 -0700
> > > > > Received: from listman.util.phx.redhat.com 
> > > > > (listman.util.phx.redhat.com [10.8.4.110])by hormel.redhat.com 
> > > > > (Postfix) with ESMTPid 7DA3A73550; Tue, 13 Jun 2006 18:08:12 -0400 
> > > > > (EDT)
> > > > > Received: from int-mx1.corp.redhat.com 
> > > > > (int-mx1.corp.redhat.com[172.16.52.254])by 
> > > > > listman.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP 
> > > > > idk5DM8BEP021980for 
> > > > > <fedora-directory-users@xxxxxxxxxxxxxxxxxxxxxxxxxxx>;Tue, 13 Jun 
> > > > > 2006 18:08:11 -0400
> > > > > Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])by 
> > > > > int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP 
> > > > > idk5DM8B7P010237for <fedora-directory-users@xxxxxxxxxx>; Tue, 13 
> > > > > Jun 2006 18:08:11 -0400
> > > > > Received: from mta1.lbl.gov (mta1.lbl.gov [128.3.41.24])by 
> > > > > mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP 
> > > > > idk5DM8ATa017845for <fedora-directory-users@xxxxxxxxxx>; Tue, 13 
> > > > > Jun 2006 18:08:10 -0400
> > > > > Received: from mta1.lbl.gov (localhost [127.0.0.1])by mta1.lbl.gov 
> > > > > (8.13.6/8.13.6) with ESMTP id k5DM83Do029430for 
> > > > > <fedora-directory-users@xxxxxxxxxx>;Tue, 13 Jun 2006 15:08:03 
> > > > > -0700 (PDT)
> > > > > Received: from [131.243.161.186] (charlie.lbl.gov 
> > > > > [131.243.161.186])by mta1.lbl.gov (8.13.6/8.13.6) with ESMTP id 
> > > > > k5DM82oT029426for <fedora-directory-users@xxxxxxxxxx>;Tue, 13 Jun 
> > > > > 2006 15:08:03 -0700 (PDT)
> > > > > X-Message-Info: LsUYwwHHNt1YGVdsJHk9XJ3CjXqSQnQhAaTm5/PIsXI=
> > > > > User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
> > > > > X-Virus-Scanned: ClamAV 0.88.2/1538/Tue Jun 13 13:17:56 2006 on mta1
> > > > > X-Virus-Status: Clean
> > > > > X-RedHat-Spam-Score: 0 X-loop: fedora-directory-users@xxxxxxxxxx
> > > > > X-BeenThere: fedora-directory-users@xxxxxxxxxx
> > > > > X-Mailman-Version: 2.1.5
> > > > > Precedence: junk
> > > > > List-Id: "General discussion list for the Fedora Directory server 
> > > > > project."<fedora-directory-users.redhat.com>
> > > > > List-Unsubscribe: 
> > > > > <https://www.redhat.com/mailman/listinfo/fedora-directory-users>,<mailto:fedora-directory-users-request@xxxxxxxxxx?subject=unsubscribe> 
> > > > >
> > > > > List-Archive: 
> > > > > <https://www.redhat.com/archives/fedora-directory-users>
> > > > > List-Post: <mailto:fedora-directory-users@xxxxxxxxxx>
> > > > > List-Help: 
> > > > > <mailto:fedora-directory-users-request@xxxxxxxxxx?subject=help>
> > > > > List-Subscribe: 
> > > > > <https://www.redhat.com/mailman/listinfo/fedora-directory-users>,<mailto:fedora-directory-users-request@xxxxxxxxxx?subject=subscribe> 
> > > > >
> > > > > Errors-To: fedora-directory-users-bounces@xxxxxxxxxx
> > > > > Return-Path: fedora-directory-users-bounces@xxxxxxxxxx
> > > > > X-OriginalArrivalTime: 13 Jun 2006 22:08:16.0215 (UTC) 
> > > > > FILETIME=[DEE3D670:01C68F35]
> > > > >
> > > > > I thought that I had the PassSync working until I ran into this 
> > > > > problem:
> > > > >
> > > > > Passwords are not synchronized from FDS to AD.  When accounts are 
> > > > > added to FDS, they do show up in AD ( Although sometimes the cn 
> > > > > attribute gets base64 encoded ), but I cannot authenticate to AD. 
> > > > > When I change passwords in the FDS side, they are not changed ( or 
> > > > > not sent ) to AD. If I change passwords in AD, they are changed in 
> > > > > the FDS.
> > > > >
> > > > > The logs show that something is happening (changed host names and 
> > > > > dn's)
> > > > >
> > > > > [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
> > > > > (ad:636): No linger to cancel on the connection
> > > > > [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - 
> > > > > windows_acquire_replica returned success (101)
> > > > > [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
> > > > > (ad:636): State: ready_to_acquire_replica -> sending_updates
> > > > > [13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay 
> > > > > (agmt="cn=AD" (ad:636)): Consumer RUV:
> > > > > [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
> > > > > (ad:636): {replicageneration} 448f18ae000000010000
> > > > > [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
> > > > > (ad:636): {replica 1 ldap://fds:389} 448f18e4000100010000 
> > > > > 448f363d03d400010000 448f363d
> > > > > [13/Jun/2006:15:03:41 -0700] - _cl5PositionCursorForReplay 
> > > > > (agmt="cn=AD" (ad:636)): Supplier RUV:
> > > > > [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
> > > > > (ad:636): {replicageneration} 448f18ae000000010000
> > > > > [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
> > > > > (ad:636): {replica 1 ldap://fds:389} 448f18e4000100010000 
> > > > > 448f363d03d700010000 448f363d
> > > > > [13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - session 
> > > > > start: anchorcsn=448f363d03d400010000
> > > > > [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - changelog 
> > > > > program - agmt="cn=AD" (ad:636): CSN 448f363d03d400010000 found, 
> > > > > position set for replay
> > > > > [13/Jun/2006:15:03:41 -0700] agmt="cn=AD" (ad:636) - load=1 rec=1 
> > > > > csn=448f363d03d600010000
> > > > > [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
> > > > > (ad:636): windows_replay_update: Looking at modify operation local 
> > > > > dn="uid=user,ou=people,dc=server,dc=,dc=" (ours,user,not group)
> > > > > [13/Jun/2006:15:03:41 -0700] NSMMReplicationPlugin - agmt="cn=AD" 
> > > > > (ad:636): windows_replay_update: Processing modify operation local 
> > > > > dn="uid=user,ou=people,dc=server,dc=,dc=" remote 
> > > > > dn="<GUID=16f869dcfdde3d42bcb075fd4a1c7980>"
> > > > >
> > > > >
> > > > > I'm not sure what is going on, I can talk via SSL from FDS to AD, 
> > > > > and I'm assuming that the PassSync service is working properly 
> > > > > since the changes from AD to FDS work.
> > > > >
> > > > > Any suggestions?
> > > > >
> > > > >
> > > > > --
> > > > > Fedora-directory-users mailing list
> > > > > Fedora-directory-users@xxxxxxxxxx
> > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > >
> > > >
> > > > _________________________________________________________________
> > > > Express yourself instantly with MSN Messenger! Download today it's 
> > > > FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> > > >
> > > > --
> > > > Fedora-directory-users mailing list
> > > > Fedora-directory-users@xxxxxxxxxx
> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users@xxxxxxxxxx
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> > ------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >   
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users