AD Driver - service user can't read password files

We have an AD Driver that is primarily a Publisher of info and passwords from AD to eDir. The Driver is running as a Remote Loader service on a Win2008 box, so a Win2016 box has been added to the domain as a member server, not a domain controller (yet).

The Driver service needs to log in as a domain user account rather than Local System to have the proper rights to AD. This is working fine on Win2008. However, on Win2016, when using the same service user, starting the service fails with this error: "Remote loader password and driver object password must be set".

The Driver is installed to C:\Novell\RemoteLoader. I looked in that directory and the files dxicert.pem and dxipkey.pem are present, which I assume are used for the passwords. I therefore believe the service account can't access this directory (or the specific files) due to rights--if the Driver is set to be Local System, it starts normally.

I've compared the Local System Policy permissions between Win2008 and Win2016 and haven't found anything obvious. The service user has the Log On As a Service permission.

Any suggestions?

eDirectory: 8.8.8 Latest SP
IDM: 4.6.2
AD Driver: 4.0.3.0 (64-bit)
Windows 2016 Data Center

Thanks!
Sam
Parents
  • Zygomax;2489382 wrote:
    We have an AD Driver that is primarily a Publisher of info and passwords from AD to eDir. The Driver is running as a Remote Loader service on a Win2008 box, so a Win2016 box has been added to the domain as a member server, not a domain controller (yet).

    The Driver service needs to log in as a domain user account rather than Local System to have the proper rights to AD. This is working fine on Win2008. However, on Win2016, when using the same service user, starting the service fails with this error: "Remote loader password and driver object password must be set".

    The Driver is installed to C:\Novell\RemoteLoader. I looked in that directory and the files dxicert.pem and dxipkey.pem are present, which I assume are used for the passwords. I therefore believe the service account can't access this directory (or the specific files) due to rights--if the Driver is set to be Local System, it starts normally.

    I've compared the Local System Policy permissions between Win2008 and Win2016 and haven't found anything obvious. The service user has the Log On As a Service permission.

    Any suggestions?

    eDirectory: 8.8.8 Latest SP
    IDM: 4.6.2
    AD Driver: 4.0.3.0 (64-bit)
    Windows 2016 Data Center

    Thanks!
    Sam


    And if you really want to know how this works, there's this epic bit of fun I had back in 2014 figuring out why I suddenly couldn't configure a working remote loader.

    https://forums.novell.com/showthread.php/485016-RemoteLoaderSvc-exe-(-Net-Remote-Loader)-loads-but-doesn-t-work?p=2438567#post2438567

    I wonder if those bugs ever got fixed.

    Bugzilla #898824 and #899043.
Reply
  • Zygomax;2489382 wrote:
    We have an AD Driver that is primarily a Publisher of info and passwords from AD to eDir. The Driver is running as a Remote Loader service on a Win2008 box, so a Win2016 box has been added to the domain as a member server, not a domain controller (yet).

    The Driver service needs to log in as a domain user account rather than Local System to have the proper rights to AD. This is working fine on Win2008. However, on Win2016, when using the same service user, starting the service fails with this error: "Remote loader password and driver object password must be set".

    The Driver is installed to C:\Novell\RemoteLoader. I looked in that directory and the files dxicert.pem and dxipkey.pem are present, which I assume are used for the passwords. I therefore believe the service account can't access this directory (or the specific files) due to rights--if the Driver is set to be Local System, it starts normally.

    I've compared the Local System Policy permissions between Win2008 and Win2016 and haven't found anything obvious. The service user has the Log On As a Service permission.

    Any suggestions?

    eDirectory: 8.8.8 Latest SP
    IDM: 4.6.2
    AD Driver: 4.0.3.0 (64-bit)
    Windows 2016 Data Center

    Thanks!
    Sam


    And if you really want to know how this works, there's this epic bit of fun I had back in 2014 figuring out why I suddenly couldn't configure a working remote loader.

    https://forums.novell.com/showthread.php/485016-RemoteLoaderSvc-exe-(-Net-Remote-Loader)-loads-but-doesn-t-work?p=2438567#post2438567

    I wonder if those bugs ever got fixed.

    Bugzilla #898824 and #899043.
Children
No Data