749004 – Clarify the perms required on the Windows side for winsync to work

Bug 749004 - Clarify the perms required on the Windows side for winsync to work

Summary: Clarify the perms required on the Windows side for winsync to work

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	doc-Identity_Management_Guide
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Deon Ballard
QA Contact:	ecs-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-10-25 19:58 UTC by Deon Ballard
Modified:	2011-12-12 19:15 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-12 19:15:31 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Deon Ballard 2011-10-25 19:58:37 UTC

At a minimum, the sync user needs to have read, write, and replicator rights to the AD subtree for winsync to work.

Replicator rights: http://support.microsoft.com/kb/891995 and http://support.microsoft.com/kb/303972.

Comment 2 Deon Ballard 2011-10-27 17:51:04 UTC

This popped up on the #freeipa channel (hat tip, Lars Sjöström), and it sounds good.

"Add the AD sync user to the AD domain (with adsiedit.msc) and allow the user to do "Replicating directory changes" instead of using the Enterprise Read-only domain controller role."

Comment 3 Deon Ballard 2011-10-27 17:53:19 UTC

Also from the channel...

"If you're about to perform a winsync the AD-binduser account can be memberof "Account Operator" as well as "Enterprise Read-Only Domain controller" .. no need to be full "Domain Admin"."

Note You need to log in before you can comment on or make changes to this bug.