[Freeipa-users] question about password sync ....

[Kambiz Aghaiepour]

I have setup cross-realm trust between AD and the Kerberos KDC component
of FreeIPA (1.2.1).  What I'd like to do is to setup a one-way password
sync going from FreeIPA -> AD.  Windows users always select the Kerberos
Realm (of FreeIPA) when logging into machines joined to the AD domain.
However, for various reasons it would be nice to have the AD password in
sync with the FreeIPA password.  Since users will always be
authenticating against FreeIPA, is it possible to setup a one-way
password sync such that when passwords are changed in FreeIPA, the new
password is propagated to the AD domain controller(s)?  And if so, can
this be done without installing the PassSync.msi on each of the domain
controllers?  (I want to ensure that the password expirations are in
sync; that's the only thing I actually care about, since as far as the
users are concerned, their AD passwords can be taken away from them and
made into sufficiently complex random strings, and expirations on AD
turned off; but I doubt I can convince others to go along with that
approach).

Kambiz

-- 
"All tyranny needs to gain a foothold is for people of
good conscience to remain silent."  --Thomas Jefferson