We are investigating an issue with EECS Windows Domain Controllers, preventing LDAP-to-Windows password passthrough from working. This affects all systems that rely on EECS LDAP for authentication, including various webpages, the EECS-Secure wireless network, and linux machines configured to use EECS LDAP. The issue began at approximately 7:45PM on 4/20.
Update 4/21 11:30AM: Staff are still working to restore LDAP-to-AD authentication, but we expect it will take some time. We will post another update here by 5PM.
Update 2 11:45AM: We have restored EECS-Secure wireless service by implementing a workaround on our wireless authentication system. Work continues on the root issue with LDAP-to-AD authentication passthrough, and an update on that will be posted by 5PM.
Update: 4/21 1:22PM: Service has been restored. Please report any ongoing problems to help@eecs.berkeley.edu. An update will be posted to this article later with an analysis of the failure.
Synopsis: A change to Group Policy yesterday, designed to improve security on our Domain Controllers, was suspected to be the cause of the problems with LDAP-to-AD authentication. We worked to undo the changes, but our testing didn’t indicate any improvement to authentication. We began work on potential rebuilding of one or more of our Domain Controllers, as well as recovery of Active Directory from a previous backup, while also implementing some workarounds to authentication. But we finally found that the saslauthd daemon had hung on both back-end LDAP servers, likely caused by the initial Group Policy changes. Restarting saslauthd restored service.