----- Original Message -----
> From: "janice.psyop" <janice.ps...@gmail.com>
> To: freeipa-users@redhat.com
> Sent: Tuesday, October 15, 2013 6:51:42 PM
> Subject: Re: [Freeipa-users] ipa sync agreement to AD DC is taking a very     
> long time
> Thanks for the replies.
> I checked this morning and it was still hung up on "Update in progess"
> so I killed it.
> @Alexander: Yes, I had already established a trust with our AD DC.  I
> was doing step " 9.4.2. Creating Synchronization Agreements"
> (FreeIPA_Guide/managing-sync-agmt.html)    I've been following the
> guide step-by-step.
What I was trying to say is that you have misunderstood instructions and 
are doing wrong configuration that is not supported and never was meant to 

AD trusts are configured with 'ipa-adtrust-install' tool and trust is 
established with 'ipa trust-add' command.
We don't replicate any user and group related information from AD to IPA LDAP 
when using AD trusts.

AD replication is a totally separate technique and should not be combined with 
AD trusts. 
This combination makes no sense, was not designed to be used together, and is 
not supported.

Therefore, your attempt to add AD replication to already configured AD trusts 
is wrong.
You need to chose what approach to take: either trusts or replication.

Dmitri Pal presented AD integration options at DevConf.cz this year. His talk 
is recorded
and available at youtube: http://www.youtube.com/watch?v=cS6EJ1L7fRI and slides 
are here: 

I'd recommend to watch this talk as it is most detailed explanation of various 
how to integrate POSIX and AD environments.
/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to