[Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT
stlaz
freeipa-github-notification at redhat.com
Tue May 9 08:28:43 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT
stlaz commented:
"""
External CA (rebased on current master to be able to install):
```
$ kinit -n
kinit: Invalid certificate while getting initial credentials
$ /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_9588 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/kerberos/krb5kdc/cacert.pem
kinit: Invalid certificate while getting initial credentials
```
and on replica:
```
$ kinit -n
kinit: Preauthentication failed while getting initial credentials
```
=> this breaks WebUI on external CA installations.
=================================
CA-less with `--no-pkinit`:
```
$ kinit -n
kinit: Preauthentication failed while getting initial credentials
```
but I guess that's expected, WebUI works since the following does work as well:
```
$ /usr/bin/kinit -n -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/kerberos/krb5kdc/cacert.pem
```
=================================
In CA-less with PKINIT options, `kinit -n` works fine, although replica installation will produce:
```
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
ipa : ERROR PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE)
ipa : ERROR Failed to configure PKINIT
Done configuring Kerberos KDC (krb5kdc).
```
when run with own PKINIT certificate from `--pkinit-cert-file` option. I don't think it should be asking any CA for a certificate if we already have the certificate.
"""
See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-300097018
More information about the Freeipa-devel
mailing list