Thanks! :-) Gregor
2014-11-02 18:05 GMT+01:00 Alexander Bokovoy <[email protected]>: > On Sun, 02 Nov 2014, Gregor Bregenzer wrote: >> >> Hi! >> >> I have FreeIPA 4.0.1 with an trust to AD to Windows 2012. The Linux >> clients have sssd 1.11.6 and use the ipa provider for authentication >> (part of client sssd.conf): >> >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = linux1.linux.intern >> chpass_provider = ipa >> >> >> I found out, the password policy for complexity etc. is retrieved from >> the group policy in AD, but is there also a way to retrieve the >> password policy from FreeIPA? All the other parts such as sudo rules >> and HBAC work when i assign the FreeIPA posix group which includes the >> external group from AD, but not the password policy. > > Authentication is handled by AD in this case, thus password policy is > handled by AD DCs as well. There is no way to attach IPA-specific > password policy to AD users because the actual password policy check is > done on AD side without us being involved in any decision. > >> Is there also some documentation about password policy with AD trust >> (i was browsing documents from http://www.freeipa.org/page/Trusts but >> did not find anything)? > > Since we don't have ways to handle it, there is no documentation. The > same situation would be with any Kerberos cross-realm trust -- the final > decision on password changes is done by the KDC that is responsible for > the Kerberos principal in question. > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
