----- Original Message ----- > From: "janice.psyop" <[email protected]> > To: [email protected] > Sent: Tuesday, October 15, 2013 6:51:42 PM > Subject: Re: [Freeipa-users] ipa sync agreement to AD DC is taking a very > long time > > Thanks for the replies. > > I checked this morning and it was still hung up on "Update in progess" > so I killed it. > > @Alexander: Yes, I had already established a trust with our AD DC. I > was doing step " 9.4.2. Creating Synchronization Agreements" > (FreeIPA_Guide/managing-sync-agmt.html) I've been following the > guide step-by-step. What I was trying to say is that you have misunderstood instructions and are doing wrong configuration that is not supported and never was meant to exist.
AD trusts are configured with 'ipa-adtrust-install' tool and trust is established with 'ipa trust-add' command. We don't replicate any user and group related information from AD to IPA LDAP when using AD trusts. AD replication is a totally separate technique and should not be combined with AD trusts. This combination makes no sense, was not designed to be used together, and is not supported. Therefore, your attempt to add AD replication to already configured AD trusts is wrong. You need to chose what approach to take: either trusts or replication. Dmitri Pal presented AD integration options at DevConf.cz this year. His talk is recorded and available at youtube: http://www.youtube.com/watch?v=cS6EJ1L7fRI and slides are here: http://www.devconf.cz/slides/Linux-AD-Integration-Options.odp I'd recommend to watch this talk as it is most detailed explanation of various options how to integrate POSIX and AD environments. -- / Alexander Bokovoy _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
