There is some confusion about the passsync user because our language is very misleading in the command-line help:
--passsync=PASSSYNC Password for the Windows PassSync user
and not much better in the man page:
--passsync=PASSSYNC_PWD Password for the Windows PassSync user. Required when using --winsync. This does not mean you have to use the PassSync service
The passsync user is a special bind user we create for the Windows PassSync service to use to change passwords in IPA. It skips over policy checking because it is assumed that AD has already done this, and by the time we get the password it is too late to reject it. The password is also created as non-expired.
Simo's suggested language:
Password for the IPA system user used by the Windows Passync plugin to synchronize passwords.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=869656
master: 85a0cde
ipa-3-0: 343e90e
Metadata Update from @rcritten: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 3.0.1 (bug fixing)
Login to comment on this ticket.