[Freeipa-users] ipa sync agreement to AD DC is taking a very long time
Alexander Bokovoy
abokovoy at redhat.com
Tue Oct 15 20:01:11 UTC 2013
----- Original Message -----
> From: "janice.psyop" <janice.psyop at gmail.com>
> To: freeipa-users at redhat.com
> Sent: Tuesday, October 15, 2013 6:51:42 PM
> Subject: Re: [Freeipa-users] ipa sync agreement to AD DC is taking a very long time
>
> Thanks for the replies.
>
> I checked this morning and it was still hung up on "Update in progess"
> so I killed it.
>
> @Alexander: Yes, I had already established a trust with our AD DC. I
> was doing step " 9.4.2. Creating Synchronization Agreements"
> (FreeIPA_Guide/managing-sync-agmt.html) I've been following the
> guide step-by-step.
What I was trying to say is that you have misunderstood instructions and
are doing wrong configuration that is not supported and never was meant to exist.
AD trusts are configured with 'ipa-adtrust-install' tool and trust is established with 'ipa trust-add' command.
We don't replicate any user and group related information from AD to IPA LDAP when using AD trusts.
AD replication is a totally separate technique and should not be combined with AD trusts.
This combination makes no sense, was not designed to be used together, and is not supported.
Therefore, your attempt to add AD replication to already configured AD trusts is wrong.
You need to chose what approach to take: either trusts or replication.
Dmitri Pal presented AD integration options at DevConf.cz this year. His talk is recorded
and available at youtube: http://www.youtube.com/watch?v=cS6EJ1L7fRI and slides are here:
http://www.devconf.cz/slides/Linux-AD-Integration-Options.odp
I'd recommend to watch this talk as it is most detailed explanation of various options
how to integrate POSIX and AD environments.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list