[Freeipa-users] Active Directory Sync user rights?
Rich Megginson
rmeggins at redhat.com
Tue Nov 12 14:38:08 UTC 2013
On 11/12/2013 01:29 AM, gflwqs gflwqs wrote:
> Hi,
> I have created the sync user with:
> - *Replicating directory changes* rights to the synchronized Active
> Directory subtree.
> - A member of the *Account Operator* and *Enterprise Read-Only Domain
> controller* groups.
>
>
> The user attribute syncronization is working fine, however the passync
> from IPA to AD does not work, i get this error message when i change a
> password for a user from IPA:
> (00000005: SecErr: DSID-031A121F, problem 4003 (INSUFF_ACCESS_RIGHTS),
> data 0 ) for modify operation
>
> If i add the sync user to the Domain Admins group it works, however
> according to the docs this should not be necessary?
http://port389.org/wiki/Howto:WindowsSync#Creating_AD_User_with_Replication_Rights
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131112/88e570b1/attachment.htm>
More information about the Freeipa-users
mailing list