Joseph, Matthew (EXP) wrote:
Thank you very much for that. Works like a charm.

How does this work though? You setup the winsync agreement between your
IPA Server and AD server using the hostname.

How does IPA know that it can trust a second DC?

Via the passsync user that you config on the Windows side. It authenticates as this user and 389-ds accepts the password change.

rob


Matt

*From:*freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal
*Sent:* Friday, April 05, 2013 11:56 AM
*To:* freeipa-users@redhat.com
*Subject:* EXTERNAL: Re: [Freeipa-users] Active Directory --> IPA
Password Sync

On 04/05/2013 10:52 AM, Joseph, Matthew (EXP) wrote:

Hello,

I imagine this is a common issue/question when trying to implement the
password sync between AD and IPA.

We have two Windows 2003 domain controllers (for redundancy) so when a
user issues a password change on the Windows side there is no primary
domain controller that it will always use for password changes.

So right now IPA is only getting 50% of the Password changes that are
done through Windows due to password changes going through both domain
controllers.

Looking through the documentation IPA will only allow a password sync
agreement between 1 AD and 1 IPA server.

Is there a solution for this issue? How are people getting around this?


One winsync agreement but passsync should be installed on both DCs.

Thanks,


Matt




_______________________________________________

Freeipa-users mailing list

Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users




--

Thank you,

Dmitri Pal



Sr. Engineering Manager for IdM portfolio

Red Hat Inc.





-------------------------------

Looking to carve out IT costs?

www.redhat.com/carveoutcosts/  <http://www.redhat.com/carveoutcosts/>







_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to