Ah, well that makes sense then!

I couldn't understand why the freeipa.org doc
(http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup)  ends at at
cross realm trust -- plus everything was working fine at that point,
but I thought the FC18 docs had further instructions for sync agreements --> it
was ID10T error on my part! -- just blindly clicking "next"...

So I'm just going to "disconnect" and delete the agreement and
certs.....  Actually, I may just start from scratch.  It was easy
enough to do up until the point I mixed up the instructions.

thanks very much clearing up my misunderstanding / pointing out the obvious!!!

And thanks for the link -- probably should watch that first....  LOL.


On Tue, Oct 15, 2013 at 4:01 PM, Alexander Bokovoy <aboko...@redhat.com> wrote:
> ----- Original Message -----
>> From: "janice.psyop" <janice.ps...@gmail.com>
>> To: freeipa-users@redhat.com
>> Sent: Tuesday, October 15, 2013 6:51:42 PM
>> Subject: Re: [Freeipa-users] ipa sync agreement to AD DC is taking a very    
>>  long time
>> Thanks for the replies.
>> I checked this morning and it was still hung up on "Update in progess"
>> so I killed it.
>> @Alexander: Yes, I had already established a trust with our AD DC.  I
>> was doing step " 9.4.2. Creating Synchronization Agreements"
>> (FreeIPA_Guide/managing-sync-agmt.html)    I've been following the
>> guide step-by-step.
> What I was trying to say is that you have misunderstood instructions and
> are doing wrong configuration that is not supported and never was meant to 
> exist.
> AD trusts are configured with 'ipa-adtrust-install' tool and trust is 
> established with 'ipa trust-add' command.
> We don't replicate any user and group related information from AD to IPA LDAP 
> when using AD trusts.
> AD replication is a totally separate technique and should not be combined 
> with AD trusts.
> This combination makes no sense, was not designed to be used together, and is 
> not supported.
> Therefore, your attempt to add AD replication to already configured AD trusts 
> is wrong.
> You need to chose what approach to take: either trusts or replication.
> Dmitri Pal presented AD integration options at DevConf.cz this year. His talk 
> is recorded
> and available at youtube: http://www.youtube.com/watch?v=cS6EJ1L7fRI and 
> slides are here:
> http://www.devconf.cz/slides/Linux-AD-Integration-Options.odp
> I'd recommend to watch this talk as it is most detailed explanation of 
> various options
> how to integrate POSIX and AD environments.
> --
> / Alexander Bokovoy

Freeipa-users mailing list

Reply via email to