Hi i have integrated a FreeIPA domian with an Active Directory domain by synchronization . but my problem is that when i add user to AD , its sync user data and password to FreeIPA. but when i update the user password , the FreeIPA hadn't generated ipantHash attribute until i ran ipa-adtrust-install for each new user and change the user password again. so is there a way to make the FreeIPA to generate ipantHash attribute for the new users without run ipa-adtrusrt-install for each user addition in AD ?
On 3/25/19 3:39 PM, mustafa taha via FreeIPA-users wrote:
Hi i have integrated a FreeIPA domian with an Active Directory domain by synchronization .
Hi, do you mean that you followed this documentation: "Integrating a Linux Domain with an Active Directory Domain: Synchronization" [1]?
but my problem is that when i add user to AD , its sync user data and password to FreeIPA. but when i update the user password , the FreeIPA hadn't generated ipantHash attribute until i ran ipa-adtrust-install for each new user and change the user password again. so is there a way to make the FreeIPA to generate ipantHash attribute for the new users without run ipa-adtrusrt-install for each user addition in AD ?
ipa-adtrust-install should not be used in this scenario. This command is used when integration is performed with a cross-forest trust [2].
Synchronization operations run every 5 minutes, but password synchronization changes should take effect immediately. Do you see issues with passwd sync on both directions or only from IPA to AD? Did you follow the instructions at "Managing password synchronization" [3]?
flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... [3] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Florence Blanc-Renaud via FreeIPA-users wrote:
On 3/25/19 3:39 PM, mustafa taha via FreeIPA-users wrote:
Hi i have integrated a FreeIPA domian with an Active Directory domain by synchronization .
Hi, do you mean that you followed this documentation: "Integrating a Linux Domain with an Active Directory Domain: Synchronization" [1]?
but my problem is that when i add user to AD , its sync user data and password to FreeIPA. but when i update the user password , the FreeIPA hadn't generated ipantHash attribute until i ran ipa-adtrust-install for each new user and change the user password again. so is there a way to make the FreeIPA to generate ipantHash attribute for the new users without run ipa-adtrusrt-install for each user addition in AD ?
ipa-adtrust-install should not be used in this scenario. This command is used when integration is performed with a cross-forest trust [2].
Synchronization operations run every 5 minutes, but password synchronization changes should take effect immediately. Do you see issues with passwd sync on both directions or only from IPA to AD? Did you follow the instructions at "Managing password synchronization" [3]?
Replying off-list since I don't have a lot of time to investigate but here are a few breadcrumbs.
The password plugin uses a series of objectclasses and attributes to determine which hashes to generate. It can generate the ipanthash but it requires the user to have the objectclass ipaNTUserAttrs. That has the required attribute ipaNTSecurityIdentifier which in this case I don't know what it'd be (perhaps a fake SID).
How one enables this outside of trust I don't know, Alexander might. A kludge may be to add a plugin extending user to add this objectclass and stuff in some SID.
rob
flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
[2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
[3] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Florence Blanc-Renaud -
mustafa taha -
Rob Crittenden