Hello,
for documentation purposes: I was able to fix the user sync problem. Although I am still
not sure what the cause used to be.
Here's what I've done:
yum install ca-certificates
update-ca-trust force-enable
cp {windows,freeipa}.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
ipa-replica-manage disconnect freeipa.priv.example.de hades.hq.example.de
ipa-replica-manage connect --winsync --binddn …
Previously the AD certificate has been made available to the 389-server in the same way
the documentation referred to it (see [9.4 Managing Syncronisation Agreements]). But since
I wasn't able to disconnect the replication agreement due to licensing issues, I
decided to install the certificates system wide.
Although this could not have been the cause of the partial (!) syncronisation problem I do
have now every user in FreeIPA.
So the only issue I haven't been able to resolve by now is Group Sync, but to be
blunt, there are more pressing issues for me even so its inconvenient.
I do hope that this helps someone in the future.
Best regards,
Theo
[9.4 Managing Syncronisation Agreements]:
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managin...