<div dir="ltr"> <div class="gmail_extra"><div class="gmail_quote">On Wed, Feb 3, 2016 at 8:08 PM, Sumit Bose <<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote: > Hello, > > I installed ipa-server on Centos 7.1 and later did and upgrade of the whole > system to Centos 7.2. > > I think the FreeIPA version changed from 4.1.0 to 4.2.0 between these > Centos/RHEL minor releases. > > We'd now like to try integrating with a 2FA provider via a radius proxy and > want to use anonymous PKINIT to secure the initial communications between > the client and the KDC. > > We've tried following the MIT Kerberos PKINIT configuration documentation > > <a href="http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html" rel="noreferrer" target="_blank">http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html</a> > > generating our own certs manually with openssl but haven't had any luck. > We're seeing this in the kdc log: > > preauth pkinit failed to initialize: No realms configured correctly for > pkinit support Which changes did you apply to krb5.conf? Did you use the IPA CA to sign the certificate or some other CA? > > I've noticed there are many new pkinit-related options that have been added > to the ipa-server-install script in 4.2.0, so it looks like PKINIT is > available in this version of FreeIPA. Is that the case? Which options are you referring to? bye, Sumit <div class=""><div class="h5"> > > And if it is, what is the recommended way to enable it given that it seems > to have been disabled in the original install that I did? Or would it just > be easier to start from scratch with a 4.2.0 ipa-server-install? (It's a > test instance that doesn't have too much in it - it will take a several > hours to rebuild from scratch.) > > Regards, > > Nik </div></div> </blockquote><div> Thanks Sumit. It sounds like PKINIT is available but clearly I'm doing it wrong. > Which changes did you apply to krb5.conf? Did you use the IPA CA to sign the certificate or some other CA? Actually, I modified the kdc.conf file - placed the kdc.pem, kdckey.pem and cacert.pem files in /var/kerberos/krb5kdc/ that I generated via openssl commands in the MIT Kerberos documentation. The only change to kdc.conf file was to append the location of the kdckey.pem file to pkinit_identity. pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem became pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem Should I have been modifying krb5.conf instead? It aslo sounds like I need to use a certificate signed by the IPAs CA - is this something that should be generated using ipa-getcert? Or do I just find the IPA CA's private key and use openssl following the MIT Kerberos documentation? > Which options are you referring to? When I looked at the --help text for 4.1.0 and 4.2.0 versions of ipa-server-install, I noticed that 4.2.0 has these in the "certificate system options": --no-pkinit disables pkinit setup steps --pkinit-cert-file=FILE File containing the Kerberos KDC SSL certificate and private key --pkinit-pin=PIN The password to unlock the Kerberos KDC private key --pkinit-cert-name=NAME Name of the Kerberos KDC SSL certificate to install Seeing that first one, I was a little hopeful that pkinit is enabled by default in 4.2.0 but on a fresh install I just tried, I'm still seeing the following in krb5kdc.log when IPA is started up, so clearly it isn't. (Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Regards, Nik </div></div> </div></div>