Password Sync service only updates RHDS/IPA with changes made on the AD domain controller on which it is running

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 6
  • Red Hat Identity Management
  • Red Hat Directory Server 9
  • Red Hat Directory Server 8
  • Windows Server 2003 Active Directory
  • Windows Server 2008 Active Directory Domain Services

Issue

  • The Password Sync (passsync) service only processes password changes that are made directly on the Active Directory (AD) domain controller on which it is running. Password changes made on the other AD controllers in the domain are not synchronized with Red Hat Directory Server (RHDS) or Identity Management (IPA).

Resolution

  • The passsync service needs to be installed and running on every AD controller in the domain as it does not automatically sync password changes that are replicated from other AD controllers. Each AD controller is required to make a separate connection to RHDS/IPA to synchronize updates.

Root Cause

Password sync operations from AD to Red Hat Directory Server are triggered by password updates to AD’s Local Security Authority (LSA) sub-system and not by the replication process that occurs between the AD controllers when a password update is made. Additional information on the password sync process can be read here.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.