On ke, 13 maalis 2019, Callum Smith wrote:
Dear Alexander,
Golden! We are in business - all puzzle pieces are in place so thank
you very much for ongoing stamina with this. I'll write this all up so
that someone else might take some value from it in the future.
Great.
Yes, please do a write
Dear Alexander,
Golden! We are in business - all puzzle pieces are in place so thank you very
much for ongoing stamina with this. I'll write this all up so that someone else
might take some value from it in the future.
Thank you again.
Regards,
Callum
--
Callum Smith
Research Computing Core
On ke, 13 maalis 2019, Callum Smith wrote:
Dear Alexander,
The last small wrinkle, setting the server options is fine and works
well, but the DNS record creation still doesn't work. I see it queries
the SOA record and then appears to use that as the server to send the
changes to.
I tried to
Dear Alexander,
The last small wrinkle, setting the server options is fine and works well, but
the DNS record creation still doesn't work. I see it queries the SOA record and
then appears to use that as the server to send the changes to.
I tried to set the SOA records for the virt.$domain
On ti, 12 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear Alexander,
We already have the correct _ldap._tcp.virt.$domain in place, and the
discovery at the start of ipa-client-install is working correctly, it
discovers the correct information and installs based on that:
Discovery was
Dear Alexander,
We already have the correct _ldap._tcp.virt.$domain in place, and the discovery
at the start of ipa-client-install is working correctly, it discovers the
correct information and installs based on that:
Discovery was successful!
Client hostname: virt-test.virt.in.bmrc.ox.ac.uk
On ti, 12 maalis 2019, Callum Smith wrote:
Yep you're not wrong, one of our IPA replica was being evil and
spitting errors. That replica is destined for the bin anyway so i've
not worried about it. All of the kerberos issues have now gone away -
except one which is more of a question than
Yep you're not wrong, one of our IPA replica was being evil and spitting
errors. That replica is destined for the bin anyway so i've not worried about
it. All of the kerberos issues have now gone away - except one which is more of
a question than anything. Is it intentional that the sub-zone
On ti, 12 maalis 2019, Callum Smith wrote:
So I've just re-run the client install to avoid the noise of
krb5kdc.log (just as to why the timestamps don't match) and this is the
entire block:
In the client krb5 trace I can see it talks to four different KDCs, not
to ipa-b alone, because the
So I've just re-run the client install to avoid the noise of krb5kdc.log (just
as to why the timestamps don't match) and this is the entire block:
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 10.141.17.1: NEEDED_PREAUTH:
On ti, 12 maalis 2019, Callum Smith wrote:
Dear Alexander,
No worries - here's the krb5kdc.log relevant area when you get a
moment. I understand that service aliases are relatively new to FreeIPA
so debugging them is proving to be a bit tricky.
Hm.. the log you provided does not include a line
Dear Alexander,
No worries - here's the krb5kdc.log relevant area when you get a moment. I
understand that service aliases are relatively new to FreeIPA so debugging them
is proving to be a bit tricky.
Mar 12 10:54:31 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes
{18 17 20 19
ldap/ipa-b.virt.$domain > ldap/ipa-b.$domain
HTTP/ipa-b.virt.$domain > HTTP/ipa-b.$domain
both aliases as above - krb5trace should be in attachments on previous message.
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e.
On ti, 12 maalis 2019, Callum Smith wrote:
Dear Alexander,
It seems setting up the principal alias has gotten us to a further point down
the line, but we're seeing other issues now.
We've moved both ldap/ and HTTP/ principals to aliases of the main
principal (the downside being we can't do an
Dear Alexander,
It seems setting up the principal alias has gotten us to a further point down
the line, but we're seeing other issues now.
We've moved both ldap/ and HTTP/ principals to aliases of the main principal
(the downside being we can't do an altname-based automated certificate request
On ma, 11 maalis 2019, Callum Smith wrote:
Dear Alexander,
Some more (hopefully) helpful information with a KRB5_TRACE on while
running ipa-client install:
Thanks, I just sent a request for basically the same. ;)
ipa-client-install
WARNING: ntpd time synchronization service will not be
On ma, 11 maalis 2019, Callum Smith wrote:
Dear Alexander,
We're wondering that too, there's obviously a disparity between the
domain that either end is issuing the LDAP ticket for, and the SRV
records for the `virt.in.bmrc.ox.ac.uk` domain all point to the LDAP
endpoint. Do i need specific SRV
Dear Alexander,
Some more (hopefully) helpful information with a KRB5_TRACE on while running
ipa-client install:
ipa-client-install
WARNING: ntpd time synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force
Dear Alexander,
We're wondering that too, there's obviously a disparity between the domain that
either end is issuing the LDAP ticket for, and the SRV records for the
`virt.in.bmrc.ox.ac.uk` domain all point to the LDAP endpoint. Do i need
specific SRV records for ldaps and not ldap? I earlier
On ma, 11 maalis 2019, Callum Smith wrote:
Locally on the IPA server I note that doing an ldapsearch using GSSAPI works,
if i use the ldap host:
ldaps://ipa-b.in.bmrc.ox.ac.uk/
but not:
ldaps://ipa-b.virt.in.bmrc.ox.ac.uk/
Since the client can only access the network that is
Locally on the IPA server I note that doing an ldapsearch using GSSAPI works,
if i use the ldap host:
ldaps://ipa-b.in.bmrc.ox.ac.uk/
but not:
ldaps://ipa-b.virt.in.bmrc.ox.ac.uk/
Since the client can only access the network that is
ipa-b.virt.in.bmrc.ox.ac.uk it needs to be able to communicate
>From dse.ldiff
nsslapd-localhost: ipa-b.in.bmrc.ox.ac.uk
Fairly sure this is representative of the current running configuration, as the
node was rebooted only hours ago.
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e.
On ma, 11 maalis 2019, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear Alexander,
Sorry, yes indeed using ipa-client-install. The ipaclient-install.log
should be attached, I can upload to dropbox if needed. Discovery
happens
On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear Alexander,
Sorry, yes indeed using ipa-client-install. The ipaclient-install.log
should be attached, I can upload to dropbox if needed. Discovery
happens succesfully, but LDAP GSSAPI authentication is failing for some
reason.
Dear Alexander,
Sorry, yes indeed using ipa-client-install. The ipaclient-install.log should be
attached, I can upload to dropbox if needed. Discovery happens succesfully, but
LDAP GSSAPI authentication is failing for some reason.
Regards,
Callum
--
Callum Smith
Research Computing Core
On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear IPA Gurus
I have a client that's incapable of joining the FreeIPA realm, it's in
a different DNS sub-zone but is in the same realm. I get the feeling
that there's a kerberos principal missing somewhere to get this all to
work,
26 matches
Mail list logo