Steven Jones wrote:
"Also note that you asked if "Can I be able to synchronize the current AD
user credentials with
FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0"
You cannot synchronize already existing passwords with IPA 2.x. You
would have to force AD users to change their passwords in order to get
the clear text password to send to IPA."
Given the password in AD is encrypted I would assume that this will apply to
any version of IPA?
Right. We aren't in the business of cracking existing passwords. When
using PassSync the only way for us to get the password is for it to be
With trust the users don't exist on the IPA side, so this isn't an issue.
Unless 3+ goes back to AD to confirm the password there?
With trust, tickets from the AD server are accepted as-is. With winsync
the same rules apply as with 2.x (and 1.x for that matter).
Freeipa-users mailing list