Rich Megginson wrote: >> >> I have setup cross-realm trust between AD and the Kerberos KDC component >> of FreeIPA (1.2.1). What I'd like to do is to setup a one-way password >> sync going from FreeIPA -> AD. Windows users always select the Kerberos >> Realm (of FreeIPA) when logging into machines joined to the AD domain. >> However, for various reasons it would be nice to have the AD password in >> sync with the FreeIPA password. Since users will always be >> authenticating against FreeIPA, is it possible to setup a one-way >> password sync such that when passwords are changed in FreeIPA, the new >> password is propagated to the AD domain controller(s)? And if so, can >> this be done without installing the PassSync.msi on each of the domain >> controllers? > Yes. Since you only want to sync passwords one way, from IPA to AD, you > do not need PassSync.msi >> (I want to ensure that the password expirations are in >> sync; that's the only thing I actually care about, since as far as the >> users are concerned, their AD passwords can be taken away from them and >> made into sufficiently complex random strings, and expirations on AD >> turned off; but I doubt I can convince others to go along with that >> approach). >> > IPA winsync will not sync password expiration. IPA winsync will sync > account disable/enable. >> Kambiz > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users
Hmmm ... so what is the correct method of syncing password expiration ? -- "All tyranny needs to gain a foothold is for people of good conscience to remain silent." --Thomas Jefferson _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users