Hi,
My Web Server is enrolled in the FreeIPA domain, but the clients are external.
So login is done via a custom login form - part of the Web Application.
In this setup, I know how to authenticate the clients to the Web Application
using FreeIPA as a backend - I can use
I knew we are close because there wasn't much to check anymore. =)
The sshd configuration was updated by the installation. On 18.04, somehow
there was only one line in one pam files. I added what Alex suggested and
followed up with pam-auth-update. It is good on 18.04 now. 16.04 is also
On ma, 11 maalis 2019, Callum Smith wrote:
Dear Alexander,
Some more (hopefully) helpful information with a KRB5_TRACE on while
running ipa-client install:
Thanks, I just sent a request for basically the same. ;)
ipa-client-install
WARNING: ntpd time synchronization service will not be
On ma, 11 maalis 2019, Callum Smith wrote:
Dear Alexander,
We're wondering that too, there's obviously a disparity between the
domain that either end is issuing the LDAP ticket for, and the SRV
records for the `virt.in.bmrc.ox.ac.uk` domain all point to the LDAP
endpoint. Do i need specific SRV
Dear Alexander,
Some more (hopefully) helpful information with a KRB5_TRACE on while running
ipa-client install:
ipa-client-install
WARNING: ntpd time synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force
Dear Alexander,
We're wondering that too, there's obviously a disparity between the domain that
either end is issuing the LDAP ticket for, and the SRV records for the
`virt.in.bmrc.ox.ac.uk` domain all point to the LDAP endpoint. Do i need
specific SRV records for ldaps and not ldap? I earlier
On ma, 11 maalis 2019, Callum Smith wrote:
Locally on the IPA server I note that doing an ldapsearch using GSSAPI works,
if i use the ldap host:
ldaps://ipa-b.in.bmrc.ox.ac.uk/
but not:
ldaps://ipa-b.virt.in.bmrc.ox.ac.uk/
Since the client can only access the network that is
Locally on the IPA server I note that doing an ldapsearch using GSSAPI works,
if i use the ldap host:
ldaps://ipa-b.in.bmrc.ox.ac.uk/
but not:
ldaps://ipa-b.virt.in.bmrc.ox.ac.uk/
Since the client can only access the network that is
ipa-b.virt.in.bmrc.ox.ac.uk it needs to be able to communicate
We have been using IPA with a number of Ubuntu workstations, but have had
to remove freeipa-client from them because something that happens when
enrolling them prevents them from mounting SMB shares from our fileserver.
Is there a simple expanation as to why this happens? The shares work fine
>From dse.ldiff
nsslapd-localhost: ipa-b.in.bmrc.ox.ac.uk
Fairly sure this is representative of the current running configuration, as the
node was rebooted only hours ago.
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e.
Thank you Fraser - you hit the nail on the head!
I had used openssl to create my Root CA and then an Intermediate CA following
the guides at: https://jamielinux.com/docs/openssl-certificate-authority/
In that guide the extension for the intermediate is for pathlen:0 so I either
need to change
Julian Gethmann via FreeIPA-users wrote:
> Hello Anthony,
>
> I don't know if there is an official tool for that, but since I once
> wrote a similar script, you might be happy with that. It requires that
> your Python 3 installation has got the IPA libraries installed and you
> have got a valid
On ma, 11 maalis 2019, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear Alexander,
Sorry, yes indeed using ipa-client-install. The ipaclient-install.log
should be attached, I can upload to dropbox if needed. Discovery
happens
On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear Alexander,
Sorry, yes indeed using ipa-client-install. The ipaclient-install.log
should be attached, I can upload to dropbox if needed. Discovery
happens succesfully, but LDAP GSSAPI authentication is failing for some
reason.
Dear Alexander,
Sorry, yes indeed using ipa-client-install. The ipaclient-install.log should be
attached, I can upload to dropbox if needed. Discovery happens succesfully, but
LDAP GSSAPI authentication is failing for some reason.
Regards,
Callum
--
Callum Smith
Research Computing Core
On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear IPA Gurus
I have a client that's incapable of joining the FreeIPA realm, it's in
a different DNS sub-zone but is in the same realm. I get the feeling
that there's a kerberos principal missing somewhere to get this all to
work,
Well, looking at it I think it's already well documented at:
https://www.freeipa.org/page/Web_App_Authentication#Kerberos
So maybe it doesn't need any change, although a link to the RFC and being
more explicit about the HTTP/ thing would be better, I guess... but now I
feel that the
On ma, 11 maalis 2019, Alex Corcoles via FreeIPA-users wrote:
On Sun, Mar 10, 2019 at 7:25 PM Alexander Bokovoy
wrote:
Yes, the naming of Kerberos principals is more or less historical. All
browsers only request service tickets to HTTP/ principal. If
you expect browsers to utilize GSSAPI,
On Sun, Mar 10, 2019 at 7:25 PM Alexander Bokovoy
wrote:
>
> Yes, the naming of Kerberos principals is more or less historical. All
> browsers only request service tickets to HTTP/ principal. If
> you expect browsers to utilize GSSAPI, your target Kerberos service
> principal must be HTTP/..
Hello Anthony,
I don't know if there is an official tool for that, but since I once
wrote a similar script, you might be happy with that. It requires that
your Python 3 installation has got the IPA libraries installed and you
have got a valid Kerberos ticket. I have tested it only on Fedora
On Thu, Mar 07, 2019 at 05:24:10PM -, Charles Ulrich via FreeIPA-users
wrote:
> For what it's worth, I have verified that I can run this on the client and it
> returns the override object immediately:
>
> ldapsearch -x -H ldaps://arb-01.engipa.example.com -D 'cn=Directory Manager '
> -W -b
On Sun, Mar 10, 2019 at 05:28:15AM -, Patrick Irish via FreeIPA-users wrote:
> I was following the documentation here
> https://www.freeipa.org/page/Active_Directory_trust_setup Is there a
> different doc I should have followed?
Ok, thanks. The checks in this document are just trying to
22 matches
Mail list logo
