DSfW: Error -1659 Failed get password for user

  • 7011636
  • 17-Jan-2013
  • 18-Feb-2020

Environment

Open Enterprise Server 11 (OES11)
Open Enterprise Server 11 SP1 (OES11SP1)
Domain Services for Windows
DSfW
eDirectory

Situation

User can not login to domain
Password was changed or set with Novell Client, now user can not log into the domain
Password was set on an eDirectory server and not a DSfW server, now user can not login to the domain
ERROR: -1659 Failed get password for user is returned in a NMAS trace

Resolution

All Universal Password Policies used with DSfW need to have the option "Synchronize Distribution Password" set if the password is set is a non DSfW server is setting the password.

In iManager click on the Passwords role
Click on Password Policies
Click on the password policy for the domain
Click on the Universal Password tab
Click on the Configuration Options sub tab
Check the "Synchronize Distribution Password when setting Universal Password" box
Make sure the "Allow user to retrieve password" box is also ticked
Click Apply

Cause

Taking a NMAS trace while the user logs in to the domain the following error is returned:

1237497600 NMAS: [2013/01/06 16:32:26.216] ERROR: -1659 Failed get password for
.CN=user1.O=novell.T=11.
1237497600 NMAS: [2013/01/06 16:32:26.216] ERROR: Failed to modify entry
<missing entry 0x49c2aa20>: -1659 (0xfffffffffffff985) 

The Password was set on a Non DSfW server.  The Distribution Password was not set in the Password Policy.  If the password is set on a eDirectory server with out syncing the Distribution Password then the supplementalCredentials for the Domain user will not be updated.


Additional Information

See TID 7009602 on how to take a NMAS trace