Users can not change passwords "Windows cannot set the password for <user> because : A device attached to the system is not functioning "

  • 7006254
  • 09-Jun-2010
  • 29-Apr-2013

Environment

Novell Open Enterprise Server 2 SP2 (OES 2SP2) Linux
Domain Services for Windows
DSFW

Situation

Changing a users password results in the error message "Windows cannot set the password for user1 because : A device attached to the system is not functioning "

New users created with MMC also get the error "Windows cannot set the password for user1 because : A device attached to the system is not functioning "

When logging into the domain the following error message is displayed "The system could not log you on now because the domain <dsfw domain> is not available."

Resolution

A password policy is not assigned to the domain container or a partition that is included in the domain.

cat /etc/opt/novell/xad/xad.ini | grep -i retain
XADRETAINPOLICIES = yes – then the existing password policy for the domain/partition will be retained. If the policy was not assigned then the Domain Password Policy will not be assigned to the domain container.

See if the domain container has the nspmpasswordpolicydn and gplink attribute. The nspmpasswordpolicydn attribute is for password policies assigned to the container.

The gplink has the value(s) linked to the group policy object(s). Unless the default GPO was removed the default GPO should be CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=MYDOMAIN,DC=COM

DSFW specific LDAPSEARCH

You can either export the ldapconf or set it each time you run ldapsearch or authenticate to the directory with administrator

example1:
export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf

ldapsearch -LLL -Y EXTERNAL -b"o=MYDOMAIN" -s base nspmpasswordpolicydn gplink

example2:
LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf ldapsearch -LLL -Y EXTERNAL -b "o=MYDOMAIN" -s base nspmpasswordpolicydn gplink

exmaple3:
ldapsearch -LLL -x -D cn=administrator,cn=users,o=MYDOMAIN -W -b "o=MYDOMAIN" -s base gplink nspmpasswordpolicydn
Enter LDAP Password:

Example of what the ldapsearch on the domain container with a password policy assigned returned:

nspmpasswordpolicydn: cn=MYDSFWPWDPOLICY,cn=Password Policies,cn=Security

gplink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=MYDOMAIN,DC=COM;0]

Notice the gplink attribute does not return o=MYDOMAIN. It returns the domain name.

If there is no password password policy returned then a password policy needs to be assigned.

If nothing is returned for the nspmpasswordpolicydn attribute the attribute can be added with iManager or ldapmodify.

Example of using ldapmodify to associate the Domain Password Policy to the domain container.

export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf <Press Enter>
ldapmodify <Press Enter>
dn: o=MYDOMAIN <Press Enter>
changetype: modify <Press Enter>
add: nspmPasswordPolicyDN <Press Enter>
nspmPasswordPolicyDN: cn=Domain Password Policy,cn=Password Policies,cn=System,o=MYDOMAIN
<Press Enter>
<Press Enter>

Another option with ldapmodify

ldapmodify -x -D cn=administrator,cn=users,O=MYDOMAIN, -Z -W <Press Enter>
dn: O=MYDOMAIN <Press Enter>
changetype: modify <Press Enter>
add: nspmPasswordPolicyDN <Press Enter>
nspmPasswordPolicyDN: cn=Domain Password Policy,cn=Password Policies,cn=System,DC=MYDOMAIN,DC=COM
<Press Enter>
<Press Enter>

To use iManager or Console one. Browse to the domain container go to the properties of the object and click on the other tab. If the nspmPasswordPolicy is not active, add it and put the value of the Domain Password Policy and click apply.