huziy
asked on
Error: 1631 diagpwd
Hi I am trying to import a number of users in our tree using Identity Manager 2 and have been using the Diagpwd.exe program to check the universal password has been set on my users.
so far all has been good.. but since trying to import some users from another OU i ran into some problems.. i therefore checked the users with diagpwd.exe and it returned the error on around 10 users...
Error: -1631, retrieving password status for USERNAME
the novell TID at http://support.novell.com/cgi-bin/search/searchtid.cgi?10097771.htm indicates that NMAS Server 2.3.6 or greater is NOT installed i am running netware 6.5sp3 server as my master replica therefore assume that i must be running 2.3.6?
could it be that these users are authenticating to an older server? and therefore not setting the password? we do have some netware 6.0 sp5 servers in the replica ring
so far all has been good.. but since trying to import some users from another OU i ran into some problems.. i therefore checked the users with diagpwd.exe and it returned the error on around 10 users...
Error: -1631, retrieving password status for USERNAME
the novell TID at http://support.novell.com/cgi-bin/search/searchtid.cgi?10097771.htm indicates that NMAS Server 2.3.6 or greater is NOT installed i am running netware 6.5sp3 server as my master replica therefore assume that i must be running 2.3.6?
could it be that these users are authenticating to an older server? and therefore not setting the password? we do have some netware 6.0 sp5 servers in the replica ring
ASKER
I actually updated two of the NW6.5SP3 servers to SP5 this afternoon.. i tried the diagpwd again to no avail.
all the replica holding servers have at least 8.7.3 there are only two NW6SP5 servers that are running 8.6.2
i think i plan to remove those NW6 servers from the replica ring ASAP
the requirements diagpwd only require you to query a server with NMAS at least 2.3.6 and the one i am querying has this.. do you think the other servers in the replica ring could be affecting this?
all the replica holding servers have at least 8.7.3 there are only two NW6SP5 servers that are running 8.6.2
i think i plan to remove those NW6 servers from the replica ring ASAP
the requirements diagpwd only require you to query a server with NMAS at least 2.3.6 and the one i am querying has this.. do you think the other servers in the replica ring could be affecting this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok.. i now have all servers in the replica ring running NW6.5SP5 and a couple running SP3
the master replica server and other sp5 servers are running edir version 8.7.3.7 and nmas version 2.4 when looking in nwconfig
other sp3 servers are is 8.7.3.5 and NMAS ver 2.3.7
when i try to set the universal password in imanager for one of the problem users i get the following in DSTRACE
Thursday, 20 Jul 2006
12:21:22 478315A0 NMAS: spmPolicyCheck success
12:21:22 478315A0 NMAS: ERROR: -1418 CCS_UnwrapKey:performX
12:21:22 478315A0 NMAS: ERROR: -1418 spmAgentSetPassword failed
i have also even tried deleting the user and recreating it.. and i still get the same "Error: -1631, retrieving password status for USERNAME" in diagpwd
it does seem apparent that the users (but not all of them) exhibiting this problem are in one OU that is in our other office.. this has a replica ring of which the above servers are the only ones in it. Although the only servers below this OU (with the partition) are NW6 servers which do not have replica on them.. the ones with replica for this partition are in different OU's
If i create a new user in that OU (with new name) the diagpwd works fine.
the master replica server and other sp5 servers are running edir version 8.7.3.7 and nmas version 2.4 when looking in nwconfig
other sp3 servers are is 8.7.3.5 and NMAS ver 2.3.7
when i try to set the universal password in imanager for one of the problem users i get the following in DSTRACE
Thursday, 20 Jul 2006
12:21:22 478315A0 NMAS: spmPolicyCheck success
12:21:22 478315A0 NMAS: ERROR: -1418 CCS_UnwrapKey:performX
12:21:22 478315A0 NMAS: ERROR: -1418 spmAgentSetPassword failed
i have also even tried deleting the user and recreating it.. and i still get the same "Error: -1631, retrieving password status for USERNAME" in diagpwd
it does seem apparent that the users (but not all of them) exhibiting this problem are in one OU that is in our other office.. this has a replica ring of which the above servers are the only ones in it. Although the only servers below this OU (with the partition) are NW6 servers which do not have replica on them.. the ones with replica for this partition are in different OU's
If i create a new user in that OU (with new name) the diagpwd works fine.
I guess at this point I'd try to see what attributes are different between a new user object that works and an old one that fails. It's probably an orphaned or deprecated attribute that's still populated. One thing to check, there, is whether the Universal Password attributes properly exist on the old user objects.
Are the non-replica servers set to point to a specific replica server? Non-replica servers still have DS running and do have DS reference entries on them even if they don't have a replica, so there may be some issues there, as well.
You aren't running DIAGPWD against any of the NW6 servers, right? And you're only using iManager from your Master of [Root] server or another NW6.5SP5 server?
Are the non-replica servers set to point to a specific replica server? Non-replica servers still have DS running and do have DS reference entries on them even if they don't have a replica, so there may be some issues there, as well.
You aren't running DIAGPWD against any of the NW6 servers, right? And you're only using iManager from your Master of [Root] server or another NW6.5SP5 server?
ASKER
ok.. i found a fix for this but unfortunatley i didnt solve it.
even if i recreated the user in edir i still got the error.. therefore i deleted the NDS object leaving the Groupwise parts intact and then re-created them in our AD domain instead. This then created the user in the edir again. When running diagpwd against this it came up fine.
Seeing as i had around 11 users showing this problem and given time is of the essence here i decided to do this to the users that had the problem
Sorry i cannot provide a solution to the problem but i did fix it!
thanks for the hints at least the replica's might be a bit more up to date now?
even if i recreated the user in edir i still got the error.. therefore i deleted the NDS object leaving the Groupwise parts intact and then re-created them in our AD domain instead. This then created the user in the edir again. When running diagpwd against this it came up fine.
Seeing as i had around 11 users showing this problem and given time is of the essence here i decided to do this to the users that had the problem
Sorry i cannot provide a solution to the problem but i did fix it!
thanks for the hints at least the replica's might be a bit more up to date now?
ASKER
Although not solved this problem.. awarded points as potentially problem may have been caused by replica servers being out of date..
thanks
thanks
NMAS is part of eDirectory starting with eDirectory 8.7.2. If you don't have the same eDirectory version on all replica-holding servers, you should. You should be able to run the latest 8.7.3 IR on NW6SP5 (I don't think you can go 8.8 on NW6). If you're still running eDirectory 8.6.x on your NW6SP5 boxes, they won't be able to run NMAS 2.3.6 or later, which IIRC requires eDirectory 8.7.3. If you're on eDirectory 8.7.3.8 on your NW6SP5 servers, you should've also installed the NMAS 2.3.8 server modules. NMAS is installed/updated separately from eDirectory on NW6, so you'll want to do both - update your eDirectory and NMAS on all of your replica-holding NW6SP5 servers.