Thanks! :-)


2014-11-02 18:05 GMT+01:00 Alexander Bokovoy <>:
> On Sun, 02 Nov 2014, Gregor Bregenzer wrote:
>> Hi!
>> I have FreeIPA 4.0.1 with an trust to AD to Windows 2012. The Linux
>> clients have sssd 1.11.6 and use the ipa provider for authentication
>> (part of client sssd.conf):
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = linux1.linux.intern
>> chpass_provider = ipa
>> I found out, the password policy for complexity etc. is retrieved from
>> the group policy in AD, but is there also a way to retrieve the
>> password policy from FreeIPA? All the other parts such as sudo rules
>> and HBAC work when i assign the FreeIPA posix group which includes the
>> external group from AD, but not the password policy.
> Authentication is handled by AD in this case, thus password policy is
> handled by AD DCs as well. There is no way to attach IPA-specific
> password policy to AD users because the actual password policy check is
> done on AD side without us being involved in any decision.
>> Is there also some documentation about password policy with AD trust
>> (i was browsing documents from but
>> did not find anything)?
> Since we don't have ways to handle it, there is no documentation. The
> same situation would be with any Kerberos cross-realm trust -- the final
> decision on password changes is done by the KDC that is responsible for
> the Kerberos principal in question.
> --
> / Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to