Eugene V via FreeIPA-users wrote:

FreeIPA 4.6.5

Windows 2019 Domain Controller

We have 389 Directory Password Synchronization set up according to manual here:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...

When user changes their password in AD, password gets synced to FreeIPA - this is perfect. But at same time password is immediately set to "expired" in FreeIPA. I understand this is correct behavior for resets. But this page:

https://www.freeipa.org/page/New_Passwords_Expired

Says that sync agents are exception: One of the features we decided to embed in FreeIPA is that when a password is first set or when a password is later reset we mark this password as immediately expired and require the owner to perform a password change. The only exception is for password synchronization agents.

So you manually created the winsync replication agreement rather than using ipa-replica-manage? That's not at all tested so there may be dragons. IPA provides its own winsync plugin.

You need to add whatever user you created for the sync to the passSyncManagersDNs attribute in cn=ipa_pwd_extop,cn=plugins,cn=config. This will skip password policy enforcement and expiration reset.

rob