Steven Jones wrote:
"Also note that you asked if "Can I be able to synchronize the current AD
user credentials with
FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0"
You cannot synchronize already existing passwords with IPA 2.x.  You
would have to force AD users to change their passwords in order to get
the clear text password to send to IPA."

Given the password in AD is encrypted I would assume that this will apply to 
any version of IPA?

Right. We aren't in the business of cracking existing passwords. When using PassSync the only way for us to get the password is for it to be changed.

With trust the users don't exist on the IPA side, so this isn't an issue.

Unless 3+ goes back to AD to confirm the password there?

With trust, tickets from the AD server are accepted as-is. With winsync the same rules apply as with 2.x (and 1.x for that matter).


Freeipa-users mailing list

Reply via email to