I have setup cross-realm trust between AD and the Kerberos KDC component of FreeIPA (1.2.1). What I'd like to do is to setup a one-way password sync going from FreeIPA -> AD. Windows users always select the Kerberos Realm (of FreeIPA) when logging into machines joined to the AD domain. However, for various reasons it would be nice to have the AD password in sync with the FreeIPA password. Since users will always be authenticating against FreeIPA, is it possible to setup a one-way password sync such that when passwords are changed in FreeIPA, the new password is propagated to the AD domain controller(s)? And if so, can this be done without installing the PassSync.msi on each of the domain controllers? (I want to ensure that the password expirations are in sync; that's the only thing I actually care about, since as far as the users are concerned, their AD passwords can be taken away from them and made into sufficiently complex random strings, and expirations on AD turned off; but I doubt I can convince others to go along with that approach).
Kambiz -- "All tyranny needs to gain a foothold is for people of good conscience to remain silent." --Thomas Jefferson _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users