Password changes made from AD are not getting synced to Unix for some users

Recently we got a case where Password changes made for domain users were not getting synced to Unix NIS clients. The issue was only happening for couple of users and rests all users’ password changes were synced correctly.

To begin with we checked the configuration made on the Windows and UNIX side as per the blog on Psync. Also verified the Unix attributes for the effected users and all seems to be fine.

The environment at the customer’s end was: Windows 2003, SFU 3.5 as a DC and Windows 2008 as DC. On Windows 2003, https://support.microsoft.com/kb/921599
was installed. Also the issue was there irrespective of password being changes from Windows 2003 or Windows 2008 DC.

Also to add to the issue, we were getting success information 4098 under the events logs.

So we moved to the Unix box to troubleshoot on this issue. To begin with, confirmed that the Unix was configured correctly as NIS client. We ran the ‘ypwhich’
command to confirm the same.

Then I checked the local password file (/etc/passwd) in the Unix box and found that there was a local user also with the same name. Looking at the password file,
we could identify the root cause for the issue.

The reason the user (user1) was having issues login to the client (Unix1) was the presence of a local user with the same name which was conflicting. This is due to the fact that in /etc/nsswitch.conf file, we have an entry for ‘passwd’ . Now for this entry we specify files first and then NIS. Even if we specify compat, it would look into
the local passwd first. Hence this causes the conflict and the user is not authenticated against the AD.

Removing the user’s account locally resolved the issue.