Hello,
We have two Windows server 2003 domain controllers and I installed passsync on both servers in order to sync password changes to our 389 LDAP. On one domain controller, it appears passsync is working correctly as I can see in the passsync.log when I change a password through that domain controller. On the other domain controller, when I change a password I do not see any activity in the passsync.log at all. I have passsync on both domain controllers set to verbose logging. I also restarted both domain controllers after installing passsync.
On the domain controller that is not syncing passwords the log appears as:
02/18/15 07:52:59: PassSync service initialized 02/18/15 07:52:59: PassSync service running 02/18/15 07:52:59: No entries yet 02/18/15 07:52:59: Password list is empty. Waiting for passhook event
Does anyone have an idea of what the issue could be?
Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138
On 02/18/2015 05:17 AM, Daniel Franciscus wrote:
Hello,
We have two Windows server 2003 domain controllers and I installed passsync on both servers in order to sync password changes to our 389 LDAP. On one domain controller, it appears passsync is working correctly as I can see in the passsync.log when I change a password through that domain controller. On the other domain controller, when I change a password I do not see any activity in the passsync.log at all. I have passsync on both domain controllers set to verbose logging. I also restarted both domain controllers after installing passsync.
On the domain controller that is not syncing passwords the log appears as:
02/18/15 07:52:59: PassSync service initialized 02/18/15 07:52:59: PassSync service running 02/18/15 07:52:59: No entries yet 02/18/15 07:52:59: Password list is empty. Waiting for passhook event
Does anyone have an idea of what the issue could be?
What is the version of PassSync? The latest is 1.1.6. http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html
Did yo have a chance to enable passhook log?
In the regedit, go to: HKEY_LOCAK_MACHINE --> SOFTWARE\PasswordSync then, set 1 to Log Level.
If you add or modify a password on the Windows Server 2003 domain cotroller, what do you get? Any errors?
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Yes, logging is set to 1. No errors at all, as if passsync is not detecting a password change. I am going to reboot the server after production hours again to see if that resolves it.
Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138
----- Original Message -----
From: "Noriko Hosoi" nhosoi@redhat.com To: 389-users@lists.fedoraproject.org Sent: Wednesday, February 18, 2015 2:01:41 PM Subject: Re: [389-users] Passsync not changing passwords
On 02/18/2015 05:17 AM, Daniel Franciscus wrote:
Hello,
We have two Windows server 2003 domain controllers and I installed passsync on both servers in order to sync password changes to our 389 LDAP. On one domain controller, it appears passsync is working correctly as I can see in the passsync.log when I change a password through that domain controller. On the other domain controller, when I change a password I do not see any activity in the passsync.log at all. I have passsync on both domain controllers set to verbose logging. I also restarted both domain controllers after installing passsync.
On the domain controller that is not syncing passwords the log appears as:
02/18/15 07:52:59: PassSync service initialized 02/18/15 07:52:59: PassSync service running 02/18/15 07:52:59: No entries yet 02/18/15 07:52:59: Password list is empty. Waiting for passhook event
Does anyone have an idea of what the issue could be?
What is the version of PassSync? The latest is 1.1.6. http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html
Did yo have a chance to enable passhook log?
In the regedit, go to: HKEY_LOCAK_MACHINE --> SOFTWARE\PasswordSync then, set 1 to Log Level.
If you add or modify a password on the Windows Server 2003 domain cotroller, what do you get? Any errors?
<blockquote>
Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users </blockquote>
On 02/18/2015 11:45 AM, Daniel Franciscus wrote:
Yes, logging is set to 1. No errors at all, as if passsync is not detecting a password change.
Sorry, I was not precise about the passhook log.
cd C:\windows\system32 ls passhook*
You should be able to see 3 files: passhook.dat, passhook.dll, and passhook.log.
Do you see any logs in the passhook.log file? For instance, my test shows these messages on successful sync. Do you see them?
02/18/15 14:16:34 user AD_sync_user6 password changed 02/18/15 14:16:34 0 entries loaded from file 02/18/15 14:16:34 1 entries saved to file
If empty even if you update any password on AD, you may need to reboot the Windows machine...
I am going to reboot the server after production hours again to see if that resolves it.
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
*From: *"Noriko Hosoi" nhosoi@redhat.com *To: *389-users@lists.fedoraproject.org *Sent: *Wednesday, February 18, 2015 2:01:41 PM *Subject: *Re: [389-users] Passsync not changing passwords
On 02/18/2015 05:17 AM, Daniel Franciscus wrote:
Hello, We have two Windows server 2003 domain controllers and I installed passsync on both servers in order to sync password changes to our 389 LDAP. On one domain controller, it appears passsync is working correctly as I can see in the passsync.log when I change a password through that domain controller. On the other domain controller, when I change a password I do not see any activity in the passsync.log at all. I have passsync on both domain controllers set to verbose logging. I also restarted both domain controllers after installing passsync. On the domain controller that is not syncing passwords the log appears as: 02/18/15 07:52:59: PassSync service initialized 02/18/15 07:52:59: PassSync service running 02/18/15 07:52:59: No entries yet 02/18/15 07:52:59: Password list is empty. Waiting for passhook event Does anyone have an idea of what the issue could be?
What is the version of PassSync? The latest is 1.1.6. http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html
Did yo have a chance to enable passhook log?
In the regedit, go to: HKEY_LOCAK_MACHINE --> SOFTWARE\PasswordSync then, set 1 to Log Level.
If you add or modify a password on the Windows Server 2003 domain cotroller, what do you get? Any errors?
Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Ah, I do not see passhook.dat or passhook.log. I tried uninstalling and re-installing but I still do not see those files there.
Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138
----- Original Message -----
From: "Noriko Hosoi" nhosoi@redhat.com To: 389-users@lists.fedoraproject.org Sent: Wednesday, February 18, 2015 5:24:33 PM Subject: Re: [389-users] Passsync not changing passwords
On 02/18/2015 11:45 AM, Daniel Franciscus wrote:
Yes, logging is set to 1. No errors at all, as if passsync is not detecting a password change.
Sorry, I was not precise about the passhook log.
cd C:\windows\system32 ls passhook*
You should be able to see 3 files: passhook.dat, passhook.dll, and passhook.log.
Do you see any logs in the passhook.log file? For instance, my test shows these messages on successful sync. Do you see them?
<blockquote> 02/18/15 14:16:34 user AD_sync_user6 password changed 02/18/15 14:16:34 0 entries loaded from file 02/18/15 14:16:34 1 entries saved to file
</blockquote> If empty even if you update any password on AD, you may need to reboot the Windows machine...
<blockquote>
I am going to reboot the server after production hours again to see if that resolves it.
Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138
----- Original Message -----
From: "Noriko Hosoi" nhosoi@redhat.com To: 389-users@lists.fedoraproject.org Sent: Wednesday, February 18, 2015 2:01:41 PM Subject: Re: [389-users] Passsync not changing passwords
On 02/18/2015 05:17 AM, Daniel Franciscus wrote:
<blockquote>
Hello,
We have two Windows server 2003 domain controllers and I installed passsync on both servers in order to sync password changes to our 389 LDAP. On one domain controller, it appears passsync is working correctly as I can see in the passsync.log when I change a password through that domain controller. On the other domain controller, when I change a password I do not see any activity in the passsync.log at all. I have passsync on both domain controllers set to verbose logging. I also restarted both domain controllers after installing passsync.
On the domain controller that is not syncing passwords the log appears as:
02/18/15 07:52:59: PassSync service initialized 02/18/15 07:52:59: PassSync service running 02/18/15 07:52:59: No entries yet 02/18/15 07:52:59: Password list is empty. Waiting for passhook event
Does anyone have an idea of what the issue could be? </blockquote> What is the version of PassSync? The latest is 1.1.6. http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html
Did yo have a chance to enable passhook log?
In the regedit, go to: HKEY_LOCAK_MACHINE --> SOFTWARE\PasswordSync then, set 1 to Log Level.
If you add or modify a password on the Windows Server 2003 domain cotroller, what do you get? Any errors?
<blockquote>
Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users </blockquote>
So I finally figured out the problem in case anyone ever comes across this again.
In order for a password filter to register and to actually capture password changes on a server, the filename of the DLL must in this key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages. After searching the entire registry on both of my domain controllers for the string "passhook" I saw that the one that was working had passhook in this key and the one that was not working did not. This key is set during installation of passsync, so for whatever reason the passsync installation on the non working DC was not able to add that value. I added the value manually, rebooted and it works.
Just thought you should know in case you ever see this again.
Thanks again for your help though, it pointed me in the direction I needed.
Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138
----- Original Message -----
From: "Noriko Hosoi" nhosoi@redhat.com To: 389-users@lists.fedoraproject.org Sent: Wednesday, February 18, 2015 2:01:41 PM Subject: Re: [389-users] Passsync not changing passwords
On 02/18/2015 05:17 AM, Daniel Franciscus wrote:
Hello,
We have two Windows server 2003 domain controllers and I installed passsync on both servers in order to sync password changes to our 389 LDAP. On one domain controller, it appears passsync is working correctly as I can see in the passsync.log when I change a password through that domain controller. On the other domain controller, when I change a password I do not see any activity in the passsync.log at all. I have passsync on both domain controllers set to verbose logging. I also restarted both domain controllers after installing passsync.
On the domain controller that is not syncing passwords the log appears as:
02/18/15 07:52:59: PassSync service initialized 02/18/15 07:52:59: PassSync service running 02/18/15 07:52:59: No entries yet 02/18/15 07:52:59: Password list is empty. Waiting for passhook event
Does anyone have an idea of what the issue could be?
What is the version of PassSync? The latest is 1.1.6. http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html
Did yo have a chance to enable passhook log?
In the regedit, go to: HKEY_LOCAK_MACHINE --> SOFTWARE\PasswordSync then, set 1 to Log Level.
If you add or modify a password on the Windows Server 2003 domain cotroller, what do you get? Any errors?
<blockquote>
Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users </blockquote>
On 02/24/2015 03:38 PM, Daniel Franciscus wrote:
So I finally figured out the problem in case anyone ever comes across this again.
In order for a password filter to register and to actually capture password changes on a server, the filename of the DLL must in this key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages. After searching the entire registry on both of my domain controllers for the string "passhook" I saw that the one that was working had passhook in this key and the one that was not working did not. This key is set during installation of passsync, so for whatever reason the passsync installation on the non working DC was not able to add that value. I added the value manually, rebooted and it works.
Just thought you should know in case you ever see this again.
Thanks again for your help though, it pointed me in the direction I needed.
Hello Daniel,
Thank you so much for your investigation and sharing the result with us. Yes, 'passhook' is supposed to be set in the registry, but somehow it was not... I'm going to add your finding to the FAQ/troubleshooting on our wiki port389.org. PassSync.wxs <RegistryKey Id='NotPkgs' Root='HKLM' Key='SYSTEM\ControlSet001\Control\Lsa' ForceCreateOnInstall='yes' > <RegistryValue Name='Notification Packages' Type='multiString' Value='passhook'/> </RegistryKey>
Thanks! --noriko
Dan Franciscus
Systems Administrator
Information Technology Group
Institute for Advanced Study
609-734-8138
*From: *"Noriko Hosoi" nhosoi@redhat.com *To: *389-users@lists.fedoraproject.org *Sent: *Wednesday, February 18, 2015 2:01:41 PM *Subject: *Re: [389-users] Passsync not changing passwords
On 02/18/2015 05:17 AM, Daniel Franciscus wrote:
Hello, We have two Windows server 2003 domain controllers and I installed passsync on both servers in order to sync password changes to our 389 LDAP. On one domain controller, it appears passsync is working correctly as I can see in the passsync.log when I change a password through that domain controller. On the other domain controller, when I change a password I do not see any activity in the passsync.log at all. I have passsync on both domain controllers set to verbose logging. I also restarted both domain controllers after installing passsync. On the domain controller that is not syncing passwords the log appears as: 02/18/15 07:52:59: PassSync service initialized 02/18/15 07:52:59: PassSync service running 02/18/15 07:52:59: No entries yet 02/18/15 07:52:59: Password list is empty. Waiting for passhook event Does anyone have an idea of what the issue could be?
What is the version of PassSync? The latest is 1.1.6. http://www.port389.org/docs/389ds/releases/release-passsync-1-1-6.html
Did yo have a chance to enable passhook log?
In the regedit, go to: HKEY_LOCAK_MACHINE --> SOFTWARE\PasswordSync then, set 1 to Log Level.
If you add or modify a password on the Windows Server 2003 domain cotroller, what do you get? Any errors?
Dan Franciscus Systems Administrator Information Technology Group Institute for Advanced Study 609-734-8138 -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org