[Freeipa-users] Re: question about password sync ...
Rich Megginson
rmeggins at redhat.com
Mon Sep 21 16:59:24 UTC 2009
>
> I have setup cross-realm trust between AD and the Kerberos KDC component
> of FreeIPA (1.2.1). What I'd like to do is to setup a one-way password
> sync going from FreeIPA -> AD. Windows users always select the Kerberos
> Realm (of FreeIPA) when logging into machines joined to the AD domain.
> However, for various reasons it would be nice to have the AD password in
> sync with the FreeIPA password. Since users will always be
> authenticating against FreeIPA, is it possible to setup a one-way
> password sync such that when passwords are changed in FreeIPA, the new
> password is propagated to the AD domain controller(s)? And if so, can
> this be done without installing the PassSync.msi on each of the domain
> controllers?
Yes. Since you only want to sync passwords one way, from IPA to AD, you
do not need PassSync.msi
> (I want to ensure that the password expirations are in
> sync; that's the only thing I actually care about, since as far as the
> users are concerned, their AD passwords can be taken away from them and
> made into sufficiently complex random strings, and expirations on AD
> turned off; but I doubt I can convince others to go along with that
> approach).
>
IPA winsync will not sync password expiration. IPA winsync will sync
account disable/enable.
> Kambiz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090921/f468975c/attachment.bin>
More information about the Freeipa-users
mailing list