On 10/15/2013 04:23 PM, janice.psyop wrote: > Ah, well that makes sense then! > > I couldn't understand why the freeipa.org doc > (http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup) ends at at > cross realm trust -- plus everything was working fine at that point, > but I thought the FC18 docs had further instructions for sync agreements --> > it > was ID10T error on my part! -- just blindly clicking "next"... > > So I'm just going to "disconnect" and delete the agreement and > certs..... Actually, I may just start from scratch. It was easy > enough to do up until the point I mixed up the instructions. > > thanks very much clearing up my misunderstanding / pointing out the obvious!!! > > And thanks for the link -- probably should watch that first.... LOL. > > -J. > > > > > On Tue, Oct 15, 2013 at 4:01 PM, Alexander Bokovoy <aboko...@redhat.com> > wrote: >> >> ----- Original Message ----- >>> From: "janice.psyop" <janice.ps...@gmail.com> >>> To: freeipa-users@redhat.com >>> Sent: Tuesday, October 15, 2013 6:51:42 PM >>> Subject: Re: [Freeipa-users] ipa sync agreement to AD DC is taking a very >>> long time >>> >>> Thanks for the replies. >>> >>> I checked this morning and it was still hung up on "Update in progess" >>> so I killed it. >>> >>> @Alexander: Yes, I had already established a trust with our AD DC. I >>> was doing step " 9.4.2. Creating Synchronization Agreements" >>> (FreeIPA_Guide/managing-sync-agmt.html) I've been following the >>> guide step-by-step. >> What I was trying to say is that you have misunderstood instructions and >> are doing wrong configuration that is not supported and never was meant to >> exist. >> >> AD trusts are configured with 'ipa-adtrust-install' tool and trust is >> established with 'ipa trust-add' command. >> We don't replicate any user and group related information from AD to IPA >> LDAP when using AD trusts. >> >> AD replication is a totally separate technique and should not be combined >> with AD trusts. >> This combination makes no sense, was not designed to be used together, and >> is not supported. >> >> Therefore, your attempt to add AD replication to already configured AD >> trusts is wrong. >> You need to chose what approach to take: either trusts or replication. >> >> Dmitri Pal presented AD integration options at DevConf.cz this year. His >> talk is recorded >> and available at youtube: http://www.youtube.com/watch?v=cS6EJ1L7fRI and >> slides are here: >> http://www.devconf.cz/slides/Linux-AD-Integration-Options.odp >> >> I'd recommend to watch this talk as it is most detailed explanation of >> various options >> how to integrate POSIX and AD environments. >> -- >> / Alexander Bokovoy
I do not think it is stupid. I think we need to make sure that winsync is no mixed with trusts. IMO we should open two tickets: a) Add a check to trust-add to see if there is a sync agreement with AD and not try to create trust when sync agreement exists b) Add a check to replica manage tool to prevent sync agreement creation when there is a trust. We might in future have to support some interim state when we define a migration procedure which we currently do not have. > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users