I have created the sync user with:
- *Replicating directory changes* rights to the synchronized Active
Directory subtree.
- A member of the *Account Operator* and *Enterprise Read-Only Domain
controller* groups.

The user attribute syncronization is working fine, however the passync from
IPA to AD does not work, i get this error message when i change a password
for a user from IPA:
(00000005: SecErr: DSID-031A121F, problem 4003 (INSUFF_ACCESS_RIGHTS), data
0 ) for modify operation

If i add the sync user to the Domain Admins group it works, however
according to the docs this should not be necessary?
Freeipa-users mailing list

Reply via email to