David - At least once a week on our 8,000-user systems,
breaks. Usually it is because the Passsync service on the AD server stops
running. Other times, Passync is running, but passwords do not sync.
Sometimes passwords sync only one way. Sometimes password sync works when we
change the user's password on the domain controller, but it does not work
when we change the user's password on the user's Windows XP computer.
You do know that the passsync service is completely autonomous from the
FDS server-side sync functionality ?
Initiating a re-sync on FDS should have no affect on passsync, since
they are separate.
Sometimes password sync breaks and other attributes continue to
This would make perfect sense, since the two are implemented in
different software, running on different machines.
Often while this is going on, new accounts are not replicated from
to the other. An aggravating factor seems to be accounts that have
attributes allowed in Fedora Directory but not allowed in Active Directory,
such as duplicate names or user IDs.
Hmm...the FDS windows sync code is supposed to strip off illegal schema
to prevent this problem,
but perhaps it isn't working properly in your case.
The remedy for these problems seems to be to stop and restart
Passsync and do
a full resync from the Fedora Directory Server console. Duplicate entries
must be changed so they are acceptable to AD, and a resync is necessary to
get them to replicate.
If you're running an 8k user site with this code you might think about
investing some money
in having someone fix it. It sounds like you have hit one or more quite
serious bugs that would
probably not take too long to diagnose and fix.