Dear Alexander,
Golden! We are in business - all puzzle pieces are in place so thank you very
much for ongoing stamina with this. I'll write this all up so that someone else
might take some value from it in the future.
Thank you again.
Regards,
Callum
--
Callum Smith
Research Computing Core
ing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk>
On 12 Mar 2019, at 17:08, Alexander Bokovoy
mailto:aboko...@redhat.com>> wrote:
On ti, 12 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear
Dear Alexander,
We already have the correct _ldap._tcp.virt.$domain in place, and the discovery
at the start of ipa-client-install is working correctly, it discovers the
correct information and installs based on that:
Discovery was successful!
Client hostname: virt-test.virt.in.bmrc.ox.ac.uk
Yep you're not wrong, one of our IPA replica was being evil and spitting
errors. That replica is destined for the bin anyway so i've not worried about
it. All of the kerberos issues have now gone away - except one which is more of
a question than anything. Is it intentional that the sub-zone
So I've just re-run the client install to avoid the noise of krb5kdc.log (just
as to why the timestamps don't match) and this is the entire block:
Mar 12 12:08:48 ipa-b.in.bmrc.ox.ac.uk krb5kdc[1967](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 10.141.17.1: NEEDED_PREAUTH:
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk>
On 12 Mar 2019, at 11:52, Alexander Bokovoy
mailto:aboko...@redhat.com>> wrote:
On ti, 12 maalis 2019, Callum Smith via FreeIPA-users wrote:
ldap/ipa-b.virt.$domain
<mailto:aboko...@redhat.com>>
wrote:
On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear IPA Gurus
I have a client that's incapable of joining the FreeIPA realm, it's in
a different DNS sub-zone but is in the same realm. I get the feeling
that there's a kerberos principal mis
Genetics
University of Oxford
e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk>
On 11 Mar 2019, at 14:27, Alexander Bokovoy
mailto:aboko...@redhat.com>> wrote:
On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear IPA Gurus
I have a client that's incapable of joining the F
Dear Alexander,
Some more (hopefully) helpful information with a KRB5_TRACE on while running
ipa-client install:
ipa-client-install
WARNING: ntpd time synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force
Dear Alexander,
We're wondering that too, there's obviously a disparity between the domain that
either end is issuing the LDAP ticket for, and the SRV records for the
`virt.in.bmrc.ox.ac.uk` domain all point to the LDAP endpoint. Do i need
specific SRV records for ldaps and not ldap? I earlier
<mailto:cal...@well.ox.ac.uk>
On 11 Mar 2019, at 15:58, Alexander Bokovoy
mailto:aboko...@redhat.com>> wrote:
On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear Alexander,
klist -kt /etc/dirsrv/ds.keytab
Keytab name: FILE:/etc/dirsrv/ds.keytab
KVNO Timestamp
d
e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk>
On 11 Mar 2019, at 15:58, Alexander Bokovoy
mailto:aboko...@redhat.com>> wrote:
On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear Alexander,
klist -kt /etc/dirsrv/ds.keytab
Keytab name: FILE:/etc/dirsrv/ds.keytab
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk>
On 11 Mar 2019, at 14:27, Alexander Bokovoy
mailto:aboko...@redhat.com>> wrote:
On ma, 11 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear IPA Gurus
I have a c
Dear FreeIPA Gurus,
I was wondering if it's possible to configure `sshd` such that for OTP based
authentication the first factor could be passed as a ssh key or certificate.
So specifically: The user's password would not be required for auth, only the
key and OTP token. Is there a magic
Dear All,
We have a number of DNS sub zones in different IP subnets, and we want to
ensure that DNS queries respond quickly and aren't waiting for timeouts. So as
such we're thinking of putting our IPA on multiple interfaces, one in each sub
zone, and registering the host and it's clients
University of Oxford
e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk>
On 4 Feb 2019, at 22:06, Rob Crittenden
mailto:rcrit...@redhat.com>> wrote:
Callum Smith via FreeIPA-users wrote:
Dear All,
I'm seeing issues with the time synchronisation for OTP but ONLY for
authentication
Dear All,
I'm seeing issues with the time synchronisation for OTP but ONLY for
authentication through LDAP and not through kerberos. Is this even possible or
am I going down the wrong rabbit hole on this issue. The error presents as LDAP
authentication giving "ldap operation failed" when
Dear Rob,
Thanks for the fast reply, I think there's something really wrong with the
hostname that's configured for the box (that'll teach me for using Ansible),
and it's trying to auth locally when it's not running yet.
krb5kdc.log
Nov 01 18:18:59 ipa-a.in.bmrc.ox.ac.uk krb5kdc[11212](info):
Dear All,
Running a FreeIPA cluster, the master has fallen over and refuses to get back
up:
Failed to read data from service file: Unknown error when retrieving list of
services from LDAP: Insufficient access: SASL(-4): no mechanism available:
(Unknown authentication method)
I was wondering
Dear Alexander,
You're exactly right, failure on my part to understand how the module
underneath was parsing keyword arguments (and that the attribute had to be
specifically omitted and not just a None value).
Thanks for your help, all working fine now.
Regards,
Callum
--
Callum Smith
Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk>
On 24 Oct 2018, at 17:54, Alexander Bokovoy
mailto:aboko...@redhat.com>> wrote:
On ke, 24 loka 2018, Callum Smith via FreeIPA-users wrote:
Dear Rob,
I'm using the py
at 12:47, Rob Crittenden
mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com>> wrote:
Callum Smith via FreeIPA-users wrote:
Dear All,
When using the API to create an account, if I don't specify the
uidnumber I get this error:
missing attribute "uidNumber" required b
<mailto:cal...@well.ox.ac.uk>
On 24 Oct 2018, at 12:47, Rob Crittenden
mailto:rcrit...@redhat.com>> wrote:
Callum Smith via FreeIPA-users wrote:
Dear All,
When using the API to create an account, if I don't specify the
uidnumber I get this error:
missing attribute "uidNumber" re
Dear All,
When using the API to create an account, if I don't specify the uidnumber I get
this error:
missing attribute "uidNumber" required by object class "posixAccount"
I was expecting the uidNumber to function thus: "system will assign one if not
provided"
Am I missing something?
Dear All,
Seems this has come up before but the previous fix no longer works. Is there a
way to do this through the Roles, because it doesn't seem obvious to me
immediately? Any help welcomed!
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
25 matches
Mail list logo