[Freeipa-users] ipa sync agreement to AD DC is taking a very long time

Thu Oct 17 10:18:27 UTC 2013

On 10/17/2013 04:59 AM, Dmitri Pal wrote:
> On 10/15/2013 04:23 PM, janice.psyop wrote:
>> Ah, well that makes sense then!
>>
>> I couldn't understand why the freeipa.org doc
>> (http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup)  ends at at
>> cross realm trust -- plus everything was working fine at that point,
>> but I thought the FC18 docs had further instructions for sync agreements --> it
>> was ID10T error on my part! -- just blindly clicking "next"...
>>
>> So I'm just going to "disconnect" and delete the agreement and
>> certs.....  Actually, I may just start from scratch.  It was easy
>> enough to do up until the point I mixed up the instructions.
>>
>> thanks very much clearing up my misunderstanding / pointing out the obvious!!!
>>
>> And thanks for the link -- probably should watch that first....  LOL.
>>
>> -J.
>>
>>
>>
>>
>> On Tue, Oct 15, 2013 at 4:01 PM, Alexander Bokovoy <abokovoy at redhat.com> wrote:
>>>
>>> ----- Original Message -----
>>>> From: "janice.psyop" <janice.psyop at gmail.com>
>>>> To: freeipa-users at redhat.com
>>>> Sent: Tuesday, October 15, 2013 6:51:42 PM
>>>> Subject: Re: [Freeipa-users] ipa sync agreement to AD DC is taking a very     long time
>>>>
>>>> Thanks for the replies.
>>>>
>>>> I checked this morning and it was still hung up on "Update in progess"
>>>> so I killed it.
>>>>
>>>> @Alexander: Yes, I had already established a trust with our AD DC.  I
>>>> was doing step " 9.4.2. Creating Synchronization Agreements"
>>>> (FreeIPA_Guide/managing-sync-agmt.html)    I've been following the
>>>> guide step-by-step.
>>> What I was trying to say is that you have misunderstood instructions and
>>> are doing wrong configuration that is not supported and never was meant to exist.
>>>
>>> AD trusts are configured with 'ipa-adtrust-install' tool and trust is established with 'ipa trust-add' command.
>>> We don't replicate any user and group related information from AD to IPA LDAP when using AD trusts.
>>>
>>> AD replication is a totally separate technique and should not be combined with AD trusts.
>>> This combination makes no sense, was not designed to be used together, and is not supported.
>>>
>>> Therefore, your attempt to add AD replication to already configured AD trusts is wrong.
>>> You need to chose what approach to take: either trusts or replication.
>>>
>>> Dmitri Pal presented AD integration options at DevConf.cz this year. His talk is recorded
>>> and available at youtube: http://www.youtube.com/watch?v=cS6EJ1L7fRI and slides are here:
>>> http://www.devconf.cz/slides/Linux-AD-Integration-Options.odp
>>>
>>> I'd recommend to watch this talk as it is most detailed explanation of various options
>>> how to integrate POSIX and AD environments.
>>> --
>>> / Alexander Bokovoy
> 
> I do not think it is stupid.
> I think we need to make sure that winsync is no mixed with trusts.
> IMO we should open two tickets:
> a) Add a check to trust-add to see if there is a sync agreement with AD
> and not try to create trust when sync agreement exists
> b) Add a check to replica manage tool to prevent sync agreement creation
> when there is a trust.

One ticket is sufficient, IMO. I filed it:

https://fedorahosted.org/freeipa/ticket/3976

I am just thinking if we want to make the check per AD domain - like havinf
trusts established with one AD forrest, but allow having winsync for another
forrest. Probably not...

Martin