How to find out if password hashes have synced


#1

Hi,

since 4.1 there is no more messing about with the daemon on the windows machine.

unvention offers a service for a local server to mirror the users of a remote server.(LAPD active directory mirror)

if you authenticate to the “mirror” LDAP it will allow login as long as admin has entered a user pw on the LDAP mirror (the pw then gets mirrored to the AD server)

but if the admin enters the PW on the AD server it is not mirrored back to the LDAP mirror.
(you have to drop into the invention 4.1 CLI and enable the functionality, as per manual instructions)

after this functionality is enabled :

is there anything we can check to see if the LDAP is mirrored & synced without having to mess about with trying to log in?


#2

I think you mean the AD Connector. Can you have a look here: http://sdb.univention.de/content/6/321/en/speed-up-ldap_binds-on-ad-member-mode-systems.html at the second part starting from “Since UCS4.1 the password service is no longer needed on the AD server…” you see the requirements to make this work.

You can check the status of the sync via “/var/log/univention/connector.log” “/var/log/univention/connector-status.log” and maybe the command “univention-connector-list-rejected” if something is not right.


#3

yes i saw the article and had followed the instructions.

but today i noticed that before if i added changes to my “mirror” invention system, in the past they were propagated to the “real” AD server.

however now they are not propagated, which would suggest that after i followed the article , i broke something…

which after looking at your recommendations appears to be the case…

[quote] univention-connector-list-rejected
Traceback (most recent call last):
File “/usr/sbin/univention-connector-list-rejected”, line 191, in
main()
File “/usr/sbin/univention-connector-list-rejected”, line 152, in main
False
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 734, in init
self.open_ad()
File “/usr/lib/pymodules/python2.7/univention/connector/ad/init.py”, line 926, in open_ad
self.lo_ad = univention.uldap.access(host=self.ad_ldap_host, port=int(self.ad_ldap_port), base=self.ad_ldap_base, binddn=self.ad_ldap_binddn, bindpw=self.ad_ldap_bindpw, start_tls=tls_mode, use_ldaps=ldaps, ca_certfile=self.ad_ldap_certificate, decode_ignorelist=[‘objectSid’, ‘objectGUID’, ‘repsFrom’, ‘replUpToDateVector’, ‘ipsecData’, ‘logonHours’, ‘userCertificate’, ‘dNSProperty’, ‘dnsRecord’, ‘member’])
File “/usr/lib/pymodules/python2.7/univention/uldap.py”, line 150, in init
self.__open(ca_certfile)
File “/usr/lib/pymodules/python2.7/univention/uldap.py”, line 189, in __open
self.lo.simple_bind_s(self.binddn, self.__encode_pwd(self.bindpw))
File “/usr/lib/python2.7/dist-packages/ldap/ldapobject.py”, line 879, in simple_bind_s
res = self._apply_method_s(SimpleLDAPObject.simple_bind_s,*args,**kwargs)
File “/usr/lib/python2.7/dist-packages/ldap/ldapobject.py”, line 860, in _apply_method_s
return func(self,*args,**kwargs)
File “/usr/lib/python2.7/dist-packages/ldap/ldapobject.py”, line 215, in simple_bind_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
File “/usr/lib/python2.7/dist-packages/ldap/ldapobject.py”, line 476, in result3
resp_ctrl_classes=resp_ctrl_classes
File “/usr/lib/python2.7/dist-packages/ldap/ldapobject.py”, line 483, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File “/usr/lib/python2.7/dist-packages/ldap/ldapobject.py”, line 106, in _ldap_call
result = func(*args,**kwargs)
ldap.INVALID_CREDENTIALS: {‘info’: ‘80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1’, ‘desc’: ‘Invalid credentials’}[/quote]

I’m getting an error here on the commands

[quote]root@mirror:~# /etc/init.d/univention-ad-connector stop
[info] Stopping univention-ad-connector daemon.
done.
root@mirror:~# ucr unset connector/ad/mapping/user/password/kinit
W: The config registry variable ‘connector/ad/mapping/user/password/kinit’ does not exist
root@mirror:~# find /etc/univention/connector/ ( -name “internal.cfg” -o -name “internal.sqlite” ) -exec mv “{}” “{}.bak_$(date +%s)” ;
root@mirror:~# [/quote]

I think that because this is only a “mirror” setup and not a full DC takeover , that this functionality is not available.

but i tracked the above error down to this, obviously that is NOT a FQbind name:

ucr set connector/ad/ldap/binddn=Administrator


#4

ok…
now we are back on track… and the systems are connected.
I’m seeing this in the two log files you pointed out


#5

Have a look at your Microsoft Windows servers (all of them).

“Active Directory Sites and Services” -> Default-first-site-name -> Servers -> -> NTDS Settings -> Attribute Editor -> Search for “msDs-ReplicationEpoch” and see if the value is a) at all Windows servers the same and b) I would recommend to delete the value to at all Windows servers.

Afterwards restart the AD Connector. and maybe reinitialize it too via: http://sdb.univention.de/content/6/314/en/reinitialize-active-directory-connector.html


#6

Ok,
Checked our AD server, the flag “msDs-ReplicationEpoch” mentioned appears to be set to 1

Which is why it’s throwing an error.

we have reset it.

Just a bit surprised Invention web front end does not pick this up in its “SYSTEM Diagnostic”

Thanks for all your help…


#7

Ok hit a serious snag…

sdb.univention.de/content/6/314/ … ector.html

after clearing out the epoch variable on the windows AD server and running the above note, we found all the user PW on the Ad server were “erased” after the sync…

users could no longer log in with their default passwords, until we reset each user with a new PW in the AD server…