On 11/12/2013 01:29 AM, gflwqs gflwqs wrote:
Hi,
I have created the sync user with:
- *Replicating directory changes* rights to the synchronized Active
Directory subtree.
- A member of the *Account Operator* and *Enterprise Read-Only Domain
controller* groups.
The user attribute syncronization is working fine, however the passync
from IPA to AD does not work, i get this error message when i change a
password for a user from IPA:
(0005: SecErr: DSID-031A121F, problem 4003 (INSUFF_ACCESS_RIGHTS),
data 0 ) for modify operation
If i add the sync user to the Domain Admins group it works, however
according to the docs this should not be necessary?
http://port389.org/wiki/Howto:WindowsSync#Creating_AD_User_with_Replication_Rights
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users