Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
1683 views

Problem with expiring passwords with Universal Password/PDC

Hi, running NW65SP6 90 day eval, have setup universal password, a PDC and
joined workstations with Novell Client 4.91 SP3 to the domain successfully,
and the login works perfectly giving users automatic login to Windows.

In our production environment which I'll be migrating from, I have a 90 day
expiry policy on passwords, which I'd like to keep. So I tested it in the
above test environment and had issues:

- Problem#1, when I got prompted for the change I said yes, put a new pswd
(and sync with the CIFS domain was highlighted), and it told me "The Windows
password entered is invalid. NOTE: Other passwords in the synchronize list
were changed - OK", you click OK and you're back to the CTRL-ALT-DEL to
login, then you login with the new pswd OK. If I lock and unlock
workstation with either eDir or domain auth after that it's OK. Looked up
some TIDs:
--- TID#10051891 - close, but no cigar
--- TID#3604162 - if I unhighlight the domain when changing the pswd, I
don't get the error, but it still comes back to the CTRL-ALT-DEL screen,
login after that OK
Note that the Windows name and NDS name match on the login screen

- Problem#2, when I got prompted for the change I said no, I get "Your
Windows password has expired and must be changed. You must change your
password now!" with only OK, and click OK and you're put into the change
password screen. If you cancel out and try the login again you have one
less grace login and you can't get past the NO (loops until you run out of
grace logins).

- Problem#3, if I then change the pswd while logged in, it warns me that for
the domain "The Old Password entered was invalid", and I escape, but then if
I lock / unlock the workstation the new pswd (that it gave me the above
invalid message on) works fine for edir and domain auth.??

So problems #1 & #3 are annoyances (which I'll get help calls about), and
problem #2 effectively gets rid of the grace logins option since you have no
choice but to change your password right away or you can't get in.

Any ideas?

Thanks in advance
James


Labels (1)
0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Problem with expiring passwords with Universal Password/PDC

Your problems #1 abnd #3 are due to the fact that you only have one single
password, boith for your NDS and for your Windows login. However the
Novell client doesn't know this and therefore things it needs to change
"both" passwords. The first password change (NDS) is actually successful
and results in "both" passwords being changed. Now, the client tries to
change the Windows password. This however fails because the Windows
password has already changed and so the old password doesn't match. If you
deselect the Windows password change, you avoid the problem and "both"
passwords are changed because in reality there is just one.

Issue #2 is simply due to the fact that the notion of "grace logins" does
not exist in Windows environments. It's a Novell specific feature which
only the Novell client can handle on NDS logins. For Windows logins,
either the password has expired and you are forced to change it, or it
hasn't expired and you don't need to change it. There is no notion of your
password having expired but you not being firced to change it yet.
As such, the only workaround for issue #2 is to disable grace logins and
don't use that feature at all when using PDC emulation.

--
Marcel Cox
http://support.novell.com/forums
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Problem with expiring passwords with Universal Password/PDC

I seem to have resolved #1 and #3 by in the Novell Client advanced options
setting the "Windows Password Synchronization" setting to NO. Now it
doesn't bother me with the error on the Windows password, and I can't think
of anything in my environment that will be negatively affected by this.
However it still, after changing the password when prompted on login, puts
you back to the press CTRL-ALT-DEL to login (but with no error), then you
login with the new password and it's OK. I'd prefer it doesn't do this if
you have any ideas about how to get around it. If not then it's liveable.

Likewise it's liveable without the grace logins so I've disabled them, and
that annoyance went away too. Always had people waiting too many logins and
ending up with a locked account, at least that won't happen anymore...

Thanks for the detailed info below, it really is appreciated, helps me
understand what's going on.

Cheers
James


P.S. - Any thoughts on the questions posed in my last post on the other
message thread? Here they are again:

- Can the desktop, favorites and programs be common amongst all the users
who are part of the domain?

- Is it generally recommended that each remote site across a WAN link have a
BDC configured on their server (I'm guessing yes)?

- Any easy way to make it so that when a workstation is added to the domain
to be part of the domain admins group? We have it happen often where the
user needs to be able to install software. I can add each user one at a
time when creating them if need be, just trying to save a step



"Marcel Cox" <cimetmc@myrealbox.com> wrote in message
news:f3gr4a$fc0$1@linux.cie.etat.lu...
> Your problems #1 abnd #3 are due to the fact that you only have one single
> password, boith for your NDS and for your Windows login. However the
> Novell client doesn't know this and therefore things it needs to change
> "both" passwords. The first password change (NDS) is actually successful
> and results in "both" passwords being changed. Now, the client tries to
> change the Windows password. This however fails because the Windows
> password has already changed and so the old password doesn't match. If you
> deselect the Windows password change, you avoid the problem and "both"
> passwords are changed because in reality there is just one.
>
> Issue #2 is simply due to the fact that the notion of "grace logins" does
> not exist in Windows environments. It's a Novell specific feature which
> only the Novell client can handle on NDS logins. For Windows logins,
> either the password has expired and you are forced to change it, or it
> hasn't expired and you don't need to change it. There is no notion of your
> password having expired but you not being firced to change it yet.
> As such, the only workaround for issue #2 is to disable grace logins and
> don't use that feature at all when using PDC emulation.
>
> --
> Marcel Cox
> http://support.novell.com/forums



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.