On 10/17/2013 04:59 AM, Dmitri Pal wrote: > On 10/15/2013 04:23 PM, janice.psyop wrote: >> Ah, well that makes sense then! >> >> I couldn't understand why the freeipa.org doc >> (http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup) ends at at >> cross realm trust -- plus everything was working fine at that point, >> but I thought the FC18 docs had further instructions for sync agreements --> >> it >> was ID10T error on my part! -- just blindly clicking "next"... >> >> So I'm just going to "disconnect" and delete the agreement and >> certs..... Actually, I may just start from scratch. It was easy >> enough to do up until the point I mixed up the instructions. >> >> thanks very much clearing up my misunderstanding / pointing out the >> obvious!!! >> >> And thanks for the link -- probably should watch that first.... LOL. >> >> -J. >> >> >> >> >> On Tue, Oct 15, 2013 at 4:01 PM, Alexander Bokovoy <[email protected]> >> wrote: >>> >>> ----- Original Message ----- >>>> From: "janice.psyop" <[email protected]> >>>> To: [email protected] >>>> Sent: Tuesday, October 15, 2013 6:51:42 PM >>>> Subject: Re: [Freeipa-users] ipa sync agreement to AD DC is taking a very >>>> long time >>>> >>>> Thanks for the replies. >>>> >>>> I checked this morning and it was still hung up on "Update in progess" >>>> so I killed it. >>>> >>>> @Alexander: Yes, I had already established a trust with our AD DC. I >>>> was doing step " 9.4.2. Creating Synchronization Agreements" >>>> (FreeIPA_Guide/managing-sync-agmt.html) I've been following the >>>> guide step-by-step. >>> What I was trying to say is that you have misunderstood instructions and >>> are doing wrong configuration that is not supported and never was meant to >>> exist. >>> >>> AD trusts are configured with 'ipa-adtrust-install' tool and trust is >>> established with 'ipa trust-add' command. >>> We don't replicate any user and group related information from AD to IPA >>> LDAP when using AD trusts. >>> >>> AD replication is a totally separate technique and should not be combined >>> with AD trusts. >>> This combination makes no sense, was not designed to be used together, and >>> is not supported. >>> >>> Therefore, your attempt to add AD replication to already configured AD >>> trusts is wrong. >>> You need to chose what approach to take: either trusts or replication. >>> >>> Dmitri Pal presented AD integration options at DevConf.cz this year. His >>> talk is recorded >>> and available at youtube: http://www.youtube.com/watch?v=cS6EJ1L7fRI and >>> slides are here: >>> http://www.devconf.cz/slides/Linux-AD-Integration-Options.odp >>> >>> I'd recommend to watch this talk as it is most detailed explanation of >>> various options >>> how to integrate POSIX and AD environments. >>> -- >>> / Alexander Bokovoy > > I do not think it is stupid. > I think we need to make sure that winsync is no mixed with trusts. > IMO we should open two tickets: > a) Add a check to trust-add to see if there is a sync agreement with AD > and not try to create trust when sync agreement exists > b) Add a check to replica manage tool to prevent sync agreement creation > when there is a trust.
One ticket is sufficient, IMO. I filed it: https://fedorahosted.org/freeipa/ticket/3976 I am just thinking if we want to make the check per AD domain - like havinf trusts established with one AD forrest, but allow having winsync for another forrest. Probably not... Martin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
