Dear Alexander, It seems setting up the principal alias has gotten us to a further point down the line, but we're seeing other issues now.
We've moved both ldap/ and HTTP/ principals to aliases of the main principal (the downside being we can't do an altname-based automated certificate request - but manually issuing certificates is an ok workaround). We're still seeing issues potentially relating to the HTTP principal authentication though, despite it now being an alias. Any ideas here? Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk> On 11 Mar 2019, at 14:27, Alexander Bokovoy <aboko...@redhat.com<mailto:aboko...@redhat.com>> wrote: On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote: Dear IPA Gurus I have a client that's incapable of joining the FreeIPA realm, it's in a different DNS sub-zone but is in the same realm. I get the feeling that there's a kerberos principal missing somewhere to get this all to work, but I can't quite see where it might be. Simple authentication ldapsearch using cn=Directory Manager functions perfectly well to the ipa host in question, however anonymous binds are disabled. I'm not clear why this wouldn't be working. >From the above it is unclear what your problem is. Can you show what exactly is failing? ipa-client-install is failing? Show logs from /var/log/ipaclient-install.log. You aren't using FreeIPA enrollment? How exactly did you try to enroll that client? Show sequence of commands you ran. It is not easy to help with no logs and exact steps tried. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
krb5trace
Description: krb5trace
ipaclient-install.log
Description: ipaclient-install.log
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org