| Event Information | According to Microsoft :
Cause :
This event is logged when Password propagation denied for the remote user.
Resolution :
Correct UNIX user denied error
Password propagation was not allowed for the remote user. This error typically originates in the UNIX environment.
If you have checked the UNIX-side configuration and found no problems, verify that Password Synchronization has been configured on the Windows-based computer in accordance with guidelines in Best Practices for Password Synchronization, an excerpt of which follows.
Best Practices for Password Synchronization - Ensure consistent password policies If you are providing only for one-way password synchronization, make sure that the password policy on the computer from which passwords will be synchronized is at least as restrictive in all areas as the policy on the computer to which passwords will by synchronized. For example, if you configure Windows-to-UNIX synchronization, the Windows password policy must be at least as restrictive as the policy of the UNIX computers with which it will synchronize passwords. If you are supporting two-way synchronization, the password policies must be equally restrictive on both systems. Failure to ensure that password policies are consistent can result in synchronization failure when a user changes a password on the less restrictive system, or the password might be changed on the more restrictive system even though it does not conform to the system's policies.Also make sure that Windows users are aware of any special password restrictions on the UNIX systems with which their passwords will be synchronized. For example, some versions of UNIX support a maximum password length of eight characters. For maximum compatibility with the default Windows password policy and these UNIX limitations, passwords should be seven or eight characters long unless you are sure that all UNIX systems can support longer passwords.
- Explicitly list the users whose passwords are to be synchronized To provide maximum control over which users can synchronize passwords, do not use the ALL keyword with the SYNC_USERS list in sso.conf on the UNIX host. Instead, you should explicitly list each user for whom password synchronization is allowed or blocked. On the Windows-based computer running Password Synchronization, create the PasswordPropAllow group and add the accounts of users whose passwords you want to synchronize. For more information, see Controlling password synchronization for user accounts.
- Do not synchronize passwords for disabled UNIX accounts On some versions of UNIX, changing the password of a disabled user account activates that account. Consequently, if a user has a disabled account on a UNIX computer that is configured to synchronize passwords with a Windows-based computer, the user or an administrator can activate the UNIX account by changing the user's Windows password. To prevent this, use the PasswordPropDeny group to block synchronization for disabled UNIX accounts. Also, when an administrator disables a UNIX account, the administrator should use the SYNC_USERS entry in sso.conf to block password synchronization for the account.
- Avoid synchronizing administrator passwords Do not synchronize passwords for members of the Windows Administrators groups or the passwords of UNIX superuser or root accounts.
When Password Synchronization is installed, members of the local Administrators group and the Domain Administrators group are added to the PasswordPropDeny group, which prevents their passwords from being synchronized. If you add a user to either the Administrators or Domain Administrators group, be sure to add the user to the PasswordPropDeny group as well.
Use the SYNC_USERS statement in the sso.conf file on all UNIX systems to prevent the passwords of superusers from being synchronized.
Other best practices for configuring the sso.conf file include the following. - Configure systems to handle user name case sensitivity correctly Unless you rigorously enforce a policy to ensure that Windows and UNIX user names match in both spelling and case, make sure that the CASE_IGNORE_NAME option in the sso.conf file is set to 1 (the default). UNIX user names are case sensitive; therefore, passwords might not synchronize properly if the user names do not match exactly because the Password Synchronization daemon is unable to associate the Windows user name with the corresponding UNIX user name.
- Make sure that password file type and name are consistent When you configure the Password Synchronization daemon, make sure that the password file type (specified by USE_SHADOW) and path name (set by FILE_PATH) are appropriate for each other. For example, on most systems, if USE_SHADOW is set to 0 (to indicate that the passwd file is used for synchronization), then the FILE_PATH option should be set to /etc/passwd. However, if USE_SHADOW is set to 1 (to indicate that the shadow file is used instead), then the FILE_PATH option should be set to /etc/shadow. (On AIX systems, the path and name of the shadow file is /etc/security/passwd.)
Verify :
Retry Windows to UNIX password synchronization for any failed user password change attempts to verify that Password Synchronization is operating normally. Password Synchronization is operating normally when password synchronization succeeds and is operating under warning conditions if synchronization fails for some passwords but succeeds for others.
If password synchronization succeeds for some passwords but fails for others, Windows to UNIX Password Synchronization Configuration is likely fully operational, but there might be account- or computer-specific configuration problems preventing password changes from being synchronized on UNIX-based hosts. |