Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: pixeldrift on February 03, 2010, 09:58:56 pm
-
I had this issue under 1.3 and am now getting the same results after a completely clean fresh install of the 1.4 beta. I have a Windows 2003 Active Directory tree with about 50 users. Setting up the eBox as a slave to AD worked fine and everything seems to be connecting correctly... except only 14 users show up on the eBox, including the "eboxadsync". There seems to be no rhyme or reason for why those particular users are working and not the others. They are from different OU's, some are administrators and some not, some have logged in recently and others not, etc. It seems completely random.
Any suggestions on why this would be happening, or more importantly on how to get the rest of them to show up?
-
You can look at /var/log/ebox/ebox.log to see if you are getting any error during the sync process...
-
Yeah, I checked the logs and get a list of existing users that it's updating, followed by a message about groups, like so
...
ebox-ad-sync:66 main:: - [ad-sync] Updating existing user jkirk
ebox-ad-sync:78 main:: - [ad-sync] Adding new group Windows Authorization Access Group
UsersAndGroups.pm:1362 EBox::UsersAndGroups::addGroup - Groupname must not be longer than 32 characters
Would that have anything to do with it?
-
Probably it's related. Is that a group created by you or a windows default one? If it is the second, do you know if it has a special attribute in LDAP in order to filter it during the sync?
-
Same issue here with Windows server 2008
I've just change the value in UsersAndGroups.pm.
It's not clean but it seems to work
However, if a user belongs to a group in my active directory, this user isn't listed in this group on ebox ...
-
Is that a group created by you or a windows default one? If it is the second, do you know if it has a special attribute in LDAP in order to filter it during the sync?
No, I have no idea where that group came from. Perhaps I should just try deleting it? The documentation said that you would have to reset user passwords before they'll show up on eBox? I did this on a test account, and it did not appear. Whereas some of the accounts that are syncing haven't been touched in quite a while. The odd thing is that it's not just the first few users, it's a random sampling that seem to work.
I'm very new to AD myself, so maybe I'm not the best person to be testing this. But on the other hand, if you need to be a Windows Server expert to figure it out, then it still needs work.! :)
Basically I have OUs for students, staff, and the administration. I'm trying to get eBox pull in the accounts, and apply policies (captive portal, content filtering, etc) based on the user's OU. Is that unrealistic?
-
Same issue here with Windows server 2008
I've just change the value in UsersAndGroups.pm.
It's not clean but it seems to work
However, if a user belongs to a group in my active directory, this user isn't listed in this group on ebox ...
UP, i have always this issue
-
Is someone here ? The ad-sync doesn't work at all !!!!
Please help
Thx
-
It works for me, but I have not tried it in Windows servers. What version of eBox? I believe 1.3 does not work correctly for Windows 7 meaning it might not work in Server 2008 R2.
-
It works for me, but I have not tried it in Windows servers. What version of eBox? I believe 1.3 does not work correctly for Windows 7 meaning it might not work in Server 2008 R2.
I have the last release of ebox (1.4.1). Users sync correctly, but not the groups.
The passwd doesn't sync at all.
See some errors in ebox.log :
UsersAndGroups.pm:1365 EBox::UsersAndGroups::addGroup - Groupname must not be longer than 32 characters
ebox-ad-sync:296 main::getPrincipalName - [ad-sync] can't get userPrincipalName for ...
UsersAndGroups.pm:1377 EBox::UsersAndGroups::addGroup - Invalid value for group name: ...
-
Do you have a group name over 32 characters in length?
-
Do you have a group name over 32 characters in length?
Yes, but it's a default group of Windows Server ...
To avoid this issue, i have just change the MAXGROUPLENGTH variable in /usr/share/perl5/EBox/UsersAndGroups.pm
-
Why /is/ it 32 characters? That would explain the issue though.
-
Why /is/ it 32 characters? That would explain the issue though.
So ebox doesn't work with Windows server to sync users ...
If a developer could explain why it's 32 characters max ?
-
It does work. You have a group over 32 characters and maybe that's just some arbitrary limit or something, for compatibility reasons, with older versions of Windows Server. Maybe it's to be compliant with older Linux Samba versions. The main thing is, if Windows Server has no 32-character limitation, then there should be a checkbox somewhere to enable or disable the 32-character limit.
-
It does work. You have a group over 32 characters and maybe that's just some arbitrary limit or something, for compatibility reasons, with older versions of Windows Server. Maybe it's to be compliant with older Linux Samba versions. The main thing is, if Windows Server has no 32-character limitation, then there should be a checkbox somewhere to enable or disable the 32-character limit.
Ok but this group is created by Windows at the installation ...
Thx for you help by the way :)
-
Ok, I fixed the initial error by editing /usr/share/perl5/EBox/UsersAndGroups.pm and set MAXGROUPLENGTH to be 40. However, now it is giving another one:
2010/02/11 14:45:12 DEBUG> ebox-ad-sync:296 main::getPrincipalName - [ad-sync] can't get userPrincipalName for...
And it says that about a number of users. Still now change otherwise, I still am only getting the same few users imported as before. Not sure what would be causing this. Thoughts?
-
Ok, I fixed the initial error by editing /usr/share/perl5/EBox/UsersAndGroups.pm and set MAXGROUPLENGTH to be 40. However, now it is giving another one:
2010/02/11 14:45:12 DEBUG> ebox-ad-sync:296 main::getPrincipalName - [ad-sync] can't get userPrincipalName for...
And it says that about a number of users. Still now change otherwise, I still am only getting the same few users imported as before. Not sure what would be causing this. Thoughts?
Exactly the same issue ...
-
I have the same error, help please!
-
You might have to change another value which is also a fixed-char variable.
-
Hi.
I had the problem with groups lenght. changed UsersAndGroups.pm now i have the error:
Invalid value for group name: Grupo de acceso de autorización de windows.
I think the problem is the "ó".
The group cannot be changed o deleted in AD.
Hope someone can help me.
-
Ok, I fixed the initial error by editing /usr/share/perl5/EBox/UsersAndGroups.pm and set MAXGROUPLENGTH to be 40. However, now it is giving another one:
2010/02/11 14:45:12 DEBUG> ebox-ad-sync:296 main::getPrincipalName - [ad-sync] can't get userPrincipalName for...
And it says that about a number of users. Still now change otherwise, I still am only getting the same few users imported as before. Not sure what would be causing this. Thoughts?
Exactly the same issue ...
I have found this on the trac : http://trac.ebox-platform.com/changeset/14955
Issue is here, in the function getPrincipalName() ...
jacalvo, please help !!!
Thx
-
It is already fixed on the svn, and a new package will be released very soon.
In the meanwhile, you can download the fixed file from:
http://trac.ebox-platform.com/export/16907/trunk/client/usersandgroups/tools/ebox-ad-sync
And copy it to /usr/share/ebox-usersandgroups/
Hope this helps!
-
It is already fixed on the svn, and a new package will be released very soon.
In the meanwhile, you can download the fixed file from:
http://trac.ebox-platform.com/export/16907/trunk/client/usersandgroups/tools/ebox-ad-sync
And copy it to /usr/share/ebox-usersandgroups/
Hope this helps!
Thx a lot, it seems to work. I have always some errors in the logs but my users are now in the groups 8)
For the issue with accented characters in UsersAndGroups.pm, i think the problem is in the regexp in the function sub _checkName. i have to change it : $name =~ /^.*$/
-
For the issue with accented characters in UsersAndGroups.pm, i think the problem is in the regexp in the function sub _checkName. i have to change it : $name =~ /^.*$/
I'm not sure if this is correct, the usernames shouldn't be accented in UNIX, have a look at this:
# adduser fóòô
adduser: To avoid problems, the username should consist only of
letters, digits, underscores, periods, at signs and dashes, and not start with
a dash (as defined by IEEE Std 1003.1-2001).
-
For the issue with accented characters in UsersAndGroups.pm, i think the problem is in the regexp in the function sub _checkName. i have to change it : $name =~ /^.*$/
I'm not sure if this is correct, the usernames shouldn't be accented in UNIX, have a look at this:
# adduser fóòô
adduser: To avoid problems, the username should consist only of
letters, digits, underscores, periods, at signs and dashes, and not start with
a dash (as defined by IEEE Std 1003.1-2001).
Ok but some groups on Windows Server are accented and created by Windows itself ... so i don't want to remove them.
-
Ok but some groups on Windows Server are accented and created by Windows itself ... so i don't want to remove them.
Yes, I understand that. But with the current version (the ebox-ad-sync file from the svn repository), the only problem is that a warning appear in the log, isn't it? I mean, the synchronization of the rest of the users and groups works perfect I suppose...
-
Ok but some groups on Windows Server are accented and created by Windows itself ... so i don't want to remove them.
Yes, I understand that. But with the current version (the ebox-ad-sync file from the svn repository), the only problem is that a warning appear in the log, isn't it? I mean, the synchronization of the rest of the users and groups works perfect I suppose...
Yes, with the new ebox-ad-sync, It syncs with AD, users are in groups etc ... but the passwords don't synchronise. I don't see anything about the passwords in the logs.
-
Have you reset the passwords you want to synchronize?
As it says in the guide (http://trac.ebox-platform.com/wiki/Document/Documentation/EBoxActiveDirectorySync):
The passwords for the already existing users will need to be reset in order to synchronize them.
-
Have you reset the passwords you want to synchronize?
As it says in the guide (http://trac.ebox-platform.com/wiki/Document/Documentation/EBoxActiveDirectorySync):
The passwords for the already existing users will need to be reset in order to synchronize them.
yes
I can see passwords with the command slapcat but they are encrypted
-
I'm not sure if you are understanding me. I mean that you have to change the password for the users in your Windows AD in order to be transferred to eBox. slapcat will always show encrypted passwords.
-
I'm not sure if you are understanding me. I mean that you have to change the password for the users in your Windows AD in order to be transferred to eBox. slapcat will always show encrypted passwords.
I am understanding you.
I have always tried to change the password for the users.
This passwords are not saved in slap ?
-
I'm not sure if you are understanding me. I mean that you have to change the password for the users in your Windows AD in order to be transferred to eBox. slapcat will always show encrypted passwords.
I am understanding you.
I have always tried to change the password for the users.
This passwords are not saved in slap ?
When i launch this command :
/usr/lib/squid/ldap_auth -v 3 -b ou=Users,dc=proxy,dc=mydomain,dc=com -u uid -h ldap://127.0.0.1:389
user passwd
I have this :
ERR Success
eBox doesn't synchronize the passwords with my AD. Maybe a problem with this (in ebox-ad-sync)
# The user must have a initial password in order to add it, as
# we still don't have the good one, we generate a random one
$user->{password} = randomPassword();
???
The only way I have found is to change the password for each user in SLAPD (with the plugin Apache Directory Studio in Eclispe).
By the way, many thanks to J. A. Calvo for his help and patience ;)
-
Synchronization with AD is working well, but now does not work authorization in the HTTP Proxy, help!!! :'(
-
Synchronization with AD is working well, but now does not work authorization in the HTTP Proxy, help!!! :'(
See my last post.
-
Maybe there is another solution that does not correct passwords manually
-
I have all of this problems in this post. Anyone found a solution ?
-
Hi there.
I am also affected by this issues. I can't get passwords synchronized properly.
Is there any workaround to this? Could ebox-usercorner be used to at least change LDAP passwords? Will they be overwritten again by ebox-ad-sync?
I am using eBox 1.4 from eBox PPA on Ubuntu 8.04.
Thanks!