[Freeipa-users] FreeIPA v 2.2 in an AD environment
Rob Crittenden
rcritten at redhat.com
Mon Nov 5 19:16:33 UTC 2012
Steven Jones wrote:
> "Also note that you asked if "Can I be able to synchronize the current AD
> user credentials with
> FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0"
> You cannot synchronize already existing passwords with IPA 2.x. You
> would have to force AD users to change their passwords in order to get
> the clear text password to send to IPA."
>
> Given the password in AD is encrypted I would assume that this will apply to any version of IPA?
Right. We aren't in the business of cracking existing passwords. When
using PassSync the only way for us to get the password is for it to be
changed.
With trust the users don't exist on the IPA side, so this isn't an issue.
> Unless 3+ goes back to AD to confirm the password there?
With trust, tickets from the AD server are accepted as-is. With winsync
the same rules apply as with 2.x (and 1.x for that matter).
rob
More information about the Freeipa-users
mailing list