Migration Tool 2.2: AD Password Sync Appears to Work but Authentication Fails

[zenjedi]

I have successfully configured my server as an AD Slave and it does appear to receive all of the required user & group accounts.

• In the LDAP Settings on the server I enabled the PAM setting and set the Default Login Shell to Bash prior to synchronizing with AD.
• The firewall rules are enabled as required.
• Password complexity is enabled in the AD's Default Domain Policy
• The Migration Tool v2.2 is installed and appears to function as expected. (i.e. I can view the sync behaviour in the log files on both the AD Master and Zentyal Slave servers and they appear to complete without error.)

The problem is that no matter which AD account I use, nor how many times I change the password on that account, I CANNOT LOGIN at the console or via the browser. The auth.log file reports "Authentication Failure" on every attempt. Note: I can run ldapsearch and successfully authenticate against ldap with one of the sync'd accounts. I just can't login via the browser or at the server console.

What am I missing???

I have many years of MS/AD experience but am a Linux/Ubuntu/Zentyal rookie. Any help/guidance would be much appreciated.

[regenersis]

Exactly the same issue here, i should mention it i couldnt authenticate on version 2.0 of zentyal either

[regenersis]

I now seem to have this working to an extent. Please ensure if you are using zentyal 2.2, to use zentyal-migration-tool-2.2 the and not the zentyal-adsync-2.0.1 (zentyal 2.0 version) for syncing your windows AD server to zentyal users and groups module.

It seems if you create a new user in AD and populate the full name, user logon name and user logon name (pre-Windows 2000) with exactly the same data e.g. jsmith Then allow the 5 mins for zentyal to sync, authentication works (note i tested via the http proxy/squid module using IE9)

You can then populate AD with the remaining user details. Although this works it is no good for someone like me who had an already populated AD server with over 1000 users!

Any help would be appreciated....

[jjmontes]

If I recall correctly, there was an issue that forced you to change the password at least once (once AD sync is installed) for it to be synchonized. Could this be your case?

This will change with Zentyal 3.0 too, as it uses Kerberos and SMB4, without the need for AD synchronization .

[jsalamero]

If you enable debug=yes on zentyal.conf, you should be able to see messages when the pwdsync gets a password from the Windows server. If you don't see that message something is wrong, or the communication between windows->zentyal or the passwd hook on the windows side.

[regenersis]

Where would i find the password sync messages?

[J. A. Calvo]

In the /var/log/zentyal/zentyal.log file

[regenersis]

ad sync seems fine and no errors for users :-(