Event ID 8230 — UNIX to Windows Password Synchronization Service -- Run-time Issues

Updated: December 16, 2008

Applies To: Windows Server 2008 R2

yellow

UNIX to Windows Password Synchronization Service -- Run-time Issues indicates the functionality of UNIX to Windows password synchronization operations.

When Password Synchronization is configured for UNIX to Windows synchronization, and UNIX to Windows synchronization is functioning normally, passwords that are changed on UNIX hosts are synchronized on Windows-based computers and domains. The Password Synchronization pluggable authentication module (PAM) makes this possible by intercepting the password change request on the UNIX host, encrypting the password, and then sending the password change request to the Password Synchronization service running on the Windows-based computers with which it is configured to be synchronized.

Event Details

Product: Windows Identity Management for UNIX
ID: 8230
Source: Microsoft-Windows-IDMU-PSync
Version: 6.0
Symbolic Name: MSG_BAD_PASSWORD
Message: Error: unrecognized password for user. %ruser = %1

Resolve

Check the password

An error occurred because an incomplete or incorrect password was entered for the user. Verify that the password was entered correctly, and that the correct single sign-on daemon (SSOD) is installed on any UNIX-based hosts. Ensure that Password Synchronization is configured identically on all Windows-based domain controllers, particularly host settings and default settings for encryption keys and ports. For more information, see Best Practices for Password Synchronization in the Password Synchronization Help, an excerpt of which follows.

Best Practices for Password Synchronization

  • Ensure consistent password policies If you are providing only for one-way password synchronization, make sure that the password policy on the computer from which passwords will be synchronized is at least as restrictive in all areas as the policy on the computer to which passwords will by synchronized. For example, if you configure Windows-to-UNIX synchronization, the Windows password policy must be at least as restrictive as the policy of the UNIX computers with which it will synchronize passwords. If you are supporting two-way synchronization, the password policies must be equally restrictive on both systems. Failure to ensure that password policies are consistent can result in synchronization failure when a user changes a password on the less restrictive system, or the password might be changed on the more restrictive system even though it does not conform to the system's policies.

    Also make sure that Windows users are aware of any special password restrictions on the UNIX systems with which their passwords will be synchronized. For example, some versions of UNIX support a maximum password length of eight characters. For maximum compatibility with the default Windows password policy and these UNIX limitations, passwords should be seven or eight characters long unless you are sure that all UNIX systems can support longer passwords.

Best practices for configuring the sso.conf file with consistent policies include the following.

  • Make sure that password file type and name are consistent When you configure the Password Synchronization daemon, make sure that the password file type (specified by USE_SHADOW) and path name (set by FILE_PATH) are appropriate for each other. For example, on most systems, if USE_SHADOW is set to 0 (to indicate that the passwd file is used for synchronization), then the FILE_PATH option should be set to /etc/passwd. However, if USE_SHADOW is set to 1 (to indicate that the shadow file is used instead), then the FILE_PATH option should be set to /etc/shadow. (On AIX systems, the path and name of the shadow file is /etc/security/passwd.)

Verify

To verify the functional state of UNIX to Windows password synchronization, retry UNIX to Windows password synchronization. UNIX to Windows password synchronization is fully operational when the password synchronization succeeds, and functioning with warning conditions present if password synchronization fails for some passwords but succeeds for others.

If password synchronization succeeds for some passwords but fails for others, the UNIX to Windows Password Synchronization Service is likely fully operational, but there might be account- or computer-specific configuration problems preventing password changes from being synchronized on UNIX-based hosts.

Related Management Information

UNIX to Windows Password Synchronization Service -- Run-time Issues

Identity Management for UNIX

Community Additions

ADD
Show: