[Freeipa-users] Active Directory Sync user rights?

[gflwqs gflwqs]

Hi,
I have created the sync user with:
- *Replicating directory changes* rights to the synchronized Active
Directory subtree.
- A member of the *Account Operator* and *Enterprise Read-Only Domain
controller* groups.


The user attribute syncronization is working fine, however the passync from
IPA to AD does not work, i get this error message when i change a password
for a user from IPA:
(0005: SecErr: DSID-031A121F, problem 4003 (INSUFF_ACCESS_RIGHTS), data
0 ) for modify operation

If i add the sync user to the Domain Admins group it works, however
according to the docs this should not be necessary?
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Active Directory Sync user rights?

[Rich Megginson]

On 11/12/2013 01:29 AM, gflwqs gflwqs wrote:

Hi,
I have created the sync user with:
- *Replicating directory changes* rights to the synchronized Active 
Directory subtree.
- A member of the *Account Operator* and *Enterprise Read-Only Domain 
controller* groups.



The user attribute syncronization is working fine, however the passync 
from IPA to AD does not work, i get this error message when i change a 
password for a user from IPA:
(0005: SecErr: DSID-031A121F, problem 4003 (INSUFF_ACCESS_RIGHTS), 
data 0 ) for modify operation


If i add the sync user to the Domain Admins group it works, however 
according to the docs this should not be necessary?

http://port389.org/wiki/Howto:WindowsSync#Creating_AD_User_with_Replication_Rights





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users