Page 1 of 1

Some AD Users cannot log in

Posted: 01 Jan 2018 18:09
by SharazJek
i have recently updated my domain from 2008R2 to 2016. its a completely new domain unrelated to the old one, but all user names are identical to the old (email domain migrated, so all email addresses are identical).

My AD user can login, but others cannot. all the users show up when go to user management. i also know my account is not local, as i recently changed my AD password and it is allowing me to log in and see my own emails. i cannot figure out where to start troubleshooting this issue, as the only log message i get is baduser/password in httpd logs.

Re: Some AD Users cannot log in

Posted: 01 Jan 2018 21:13
by Zwabber
- Change password of one of this users to a simple password without special characters
- Create new user with simple password
- Try other login - domain/username - only username - mailaddress
- Sure LDAP is working fine?

Re: Some AD Users cannot log in

Posted: 02 Jan 2018 19:11
by shawniverson
There's debug script here that could help.

https://github.com/mailwatch/MailWatch/pull/1016/files

Re: Some AD Users cannot log in

Posted: 03 Jan 2018 12:59
by SharazJek
whats the best way to get that test file down to my box? (i know how to wget... i just dont know how to git... im not a programer) :)

Re: Some AD Users cannot log in

Posted: 03 Jan 2018 13:00
by SharazJek
Zwabber wrote: 01 Jan 2018 21:13 - Change password of one of this users to a simple password without special characters
- Create new user with simple password
- Try other login - domain/username - only username - mailaddress
- Sure LDAP is working fine?
my password recently changed, so i know its not cacheing a password from the previous AD server, and thus also this confirms the new AD DN settings are correct (new domain has completely different structure/OUs).

creating a new user is something ive not done, i thought about that but never did it. ill try that and report back.

Re: Some AD Users cannot log in

Posted: 04 Jan 2018 12:45
by SharazJek
OK here is some output from the ldaptest.php:

my credentials:

[root@emx01 ~]# php ldaptest.php
Test connection to server
enable AD compatibility
Try authenticating as DOMAIN\extauth
authentication for searching the account was successful
search for jhorne@lalala.com in LDAP directory
search done
found 1 accounts matching the filter
Trying to authenticate as user: Jonathan Horne
authentication success
db data for account: Mail: jhorne@lalala.com; Internal account idJonathan Horne
login success

any other user, including a test user i just now created:

[root@emx01 ~]# php ldaptest.php
Test connection to server
enable AD compatibility
Try authenticating as DOMAIN\extauth
authentication for searching the account was successful
search for tuser@lalala.com in LDAP directory
search done
found 1 accounts matching the filter
Trying to authenticate as user: tuser
PHP Warning: ldap_bind(): Unable to bind to server: Invalid credentials in /root/ldaptest.php on line 105

i can log that test user in on the OWA site just fine.

Re: Some AD Users cannot log in

Posted: 18 Jan 2018 12:16
by SharazJek
anyone have any guesses on this one?

Re: Some AD Users cannot log in

Posted: 18 Jan 2018 14:12
by shawniverson
Not sure if it applies, but check this out. It may be a case sensitivity issue...

https://github.com/mailwatch/MailWatch/issues/1013