On 10/15/2013 04:23 PM, janice.psyop wrote:
> Ah, well that makes sense then!
> I couldn't understand why the freeipa.org doc
> (http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup)  ends at at
> cross realm trust -- plus everything was working fine at that point,
> but I thought the FC18 docs had further instructions for sync agreements --> 
> it
> was ID10T error on my part! -- just blindly clicking "next"...
> So I'm just going to "disconnect" and delete the agreement and
> certs.....  Actually, I may just start from scratch.  It was easy
> enough to do up until the point I mixed up the instructions.
> thanks very much clearing up my misunderstanding / pointing out the obvious!!!
> And thanks for the link -- probably should watch that first....  LOL.
> -J.
> On Tue, Oct 15, 2013 at 4:01 PM, Alexander Bokovoy <aboko...@redhat.com> 
> wrote:
>> ----- Original Message -----
>>> From: "janice.psyop" <janice.ps...@gmail.com>
>>> To: freeipa-users@redhat.com
>>> Sent: Tuesday, October 15, 2013 6:51:42 PM
>>> Subject: Re: [Freeipa-users] ipa sync agreement to AD DC is taking a very   
>>>   long time
>>> Thanks for the replies.
>>> I checked this morning and it was still hung up on "Update in progess"
>>> so I killed it.
>>> @Alexander: Yes, I had already established a trust with our AD DC.  I
>>> was doing step " 9.4.2. Creating Synchronization Agreements"
>>> (FreeIPA_Guide/managing-sync-agmt.html)    I've been following the
>>> guide step-by-step.
>> What I was trying to say is that you have misunderstood instructions and
>> are doing wrong configuration that is not supported and never was meant to 
>> exist.
>> AD trusts are configured with 'ipa-adtrust-install' tool and trust is 
>> established with 'ipa trust-add' command.
>> We don't replicate any user and group related information from AD to IPA 
>> LDAP when using AD trusts.
>> AD replication is a totally separate technique and should not be combined 
>> with AD trusts.
>> This combination makes no sense, was not designed to be used together, and 
>> is not supported.
>> Therefore, your attempt to add AD replication to already configured AD 
>> trusts is wrong.
>> You need to chose what approach to take: either trusts or replication.
>> Dmitri Pal presented AD integration options at DevConf.cz this year. His 
>> talk is recorded
>> and available at youtube: http://www.youtube.com/watch?v=cS6EJ1L7fRI and 
>> slides are here:
>> http://www.devconf.cz/slides/Linux-AD-Integration-Options.odp
>> I'd recommend to watch this talk as it is most detailed explanation of 
>> various options
>> how to integrate POSIX and AD environments.
>> --
>> / Alexander Bokovoy

I do not think it is stupid.
I think we need to make sure that winsync is no mixed with trusts.
IMO we should open two tickets:
a) Add a check to trust-add to see if there is a sync agreement with AD
and not try to create trust when sync agreement exists
b) Add a check to replica manage tool to prevent sync agreement creation
when there is a trust.

We might in future have to support some interim state when we define a
migration procedure which we currently do not have.

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to