Yes. Since you only want to sync passwords one way, from IPA to AD, you do not need PassSync.msiI have setup cross-realm trust between AD and the Kerberos KDC component of FreeIPA (1.2.1). What I'd like to do is to setup a one-way password sync going from FreeIPA -> AD. Windows users always select the Kerberos Realm (of FreeIPA) when logging into machines joined to the AD domain. However, for various reasons it would be nice to have the AD password in sync with the FreeIPA password. Since users will always be authenticating against FreeIPA, is it possible to setup a one-way password sync such that when passwords are changed in FreeIPA, the new password is propagated to the AD domain controller(s)? And if so, can this be done without installing the PassSync.msi on each of the domain controllers?
IPA winsync will not sync password expiration. IPA winsync will sync account disable/enable.(I want to ensure that the password expirations are in sync; that's the only thing I actually care about, since as far as the users are concerned, their AD passwords can be taken away from them and made into sufficiently complex random strings, and expirations on AD turned off; but I doubt I can convince others to go along with that approach).
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users