Thanks for reply, but I suspect I'm facing a different problem.
Talking about SSL.
As far as I understand SSL is used both for passync (AD -> FDS) and
replication agreement (AD <-> FDS). Note two different tasks.
In first case work cert.db8 certificates. I've installed on both AD
and FDS, my CA certificate and FDS server certificate. Passync works
without a hic. When I change pasword from windows it's exactly set
on FDS.
Replication agreement is based on cert.db8 on FDS and MS architecture
on AD, I mean that I make use of mmc to install CA and AD server
signed certificate.
Replication seems also work, since I see that AD and FDS users are
"merged" in one (almost) identical list. So users that were in AD
are created on FDS and viceversa, with (almost) all parameters setted.
My problem arise when from a linux machine authenticated on FDS I
issue and passwd change password. Really all seems go right, since
FDS register new password, and also AD tell me that the change has
been committed :
first event
User Account Changed:
Target Account Name: barbato
Target Domain: TEST
Target Account ID: TEST\barbato
Caller User Name: sync manager
Caller Domain: TEST
Caller Logon ID: (0x0,0x318F76)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
and after a while a second security event:
User Account password set:
Target Account Name: barbato
Target Domain: TEST
Target Account ID: TEST\barbato
Caller User Name: sync manager
Caller Domain: TEST
Caller Logon ID: (0x0,0x318F76)
But when I try to log on AD with this new password AD tell me that
I'm usinig the wrong one. Note that also the previous doesn't work,
and this confirm that it has been really changed.
Anybody has faced this ? Some other things to look into ?
Regards,
Paolo.
At 13:49 -0600 27-09-2007, Richard Megginson wrote:
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="------------ms080709050607070004030508"
Glenn wrote:
Paolo - Maybe your certificates are not set up correctly. You
should have the
same CA certificate in the database in both FDS and AD. Also, the
server certs in each database should be issued by the same
certificate authority.
It is convenient to use the Certificate Authority included with
recent Microsoft Windows servers to create a CA certificate to
import into both databases. You can then create server
certificates using the MSCA and import them into their respective
databases.
You may also need to import the server certificate from FDS into
the database on AD and vice-versa.
You should not need to do this. All that should be required is that
each cert db has the cert for that server plus the trusted CA cert.
Once this is done, you should review and possibly modify the trust
attributes on all the certs. As you can see from my examples, I
used a scatter-gun approach.
You will need to use certutil for all import and modify operations
on the certificate databases. "certutil -H" gives a nice reference.
Examples:
sibelius=FD
boccherini=AD
TWCA=CA
[root@sibelius alias]# ./certutil -L -d . -P slapd-sibelius- TWCA
CT,c,c
boccherini P,P,P
server-cert CTu,cu,cu
C:\Program Files\RHD Password Sync>certutil -L -d .
TWCA CT,C,C
server-cert Pu,Pu,Pu
boccherini P,P,P
Remember to restart FDS and PassSync after making changes. -G.
---------- Original Message -----------
From: Paolo Barbato <paolo.barbato@xxxxxxxxxx>
To: fedora-directory-users@xxxxxxxxxx
Sent: Thu, 27 Sep 2007 10:06:40 +0200
Subject: fds vs passsync vs AD
Hi all!
I've succesfully installed fds and passync msi on windows AD. I
admit that some probem have arisen since documentation is a bit
poor on SSL part, especially on AD, but then finally I was able to
make things works.
I'm facing an odd problem that I'm not able to understand, but
probably already discussed on the list.
I'm able to take in sync password in AD and FDS when I change
password from AD, but not viceversa. Really from Windows event log
things seem go right: it tell me that pasword has been succesfully
updated (passwd is issued from linux). But that stored password is
somewhat different . Could be an encryption problem ? Any hints ?
Regards,
Paolo.
--
----------------------------------------------------------------------------
--------------------
Paolo Barbato email: mailto:paolo.barbato@xxxxxxxxxx
Network Administrator phone: (39-049)-829-5097
(39-049)-829-5000
Corso Stati Uniti,4 www: http://www.igi.cnr.it
35127 Camin-Padova PGP:
http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp
ITALY JabberID: rfx_paolo_barbato@xxxxxxxxxxxxxxxxxx
----------------------------------------------------------------------------
--------------------
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------- End of Original Message -------
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--===============1715542137==
Content-Type: text/plain; name="smime.p7s"
; x-mac-type="65417070"
; x-mac-creator="43534F6D"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: imap_stub
0,118924,1.2,4448,0,
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
------------------------------------------------------------------------------------------------
Paolo Barbato email: mailto:paolo.barbato@xxxxxxxxxx
Network Administrator phone: (39-049)-829-5097
(39-049)-829-5000
Corso Stati Uniti,4 www: http://www.igi.cnr.it
35127 Camin-Padova PGP:
http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp
ITALY JabberID: rfx_paolo_barbato@xxxxxxxxxxxxxxxxxx
------------------------------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
