[Freeipa-users] PKINIT support in FreeIPA 4.2.0
Sumit Bose
sbose at redhat.com
Wed Feb 3 09:08:21 UTC 2016
On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote:
> Hello,
>
> I installed ipa-server on Centos 7.1 and later did and upgrade of the whole
> system to Centos 7.2.
>
> I think the FreeIPA version changed from 4.1.0 to 4.2.0 between these
> Centos/RHEL minor releases.
>
> We'd now like to try integrating with a 2FA provider via a radius proxy and
> want to use anonymous PKINIT to secure the initial communications between
> the client and the KDC.
>
> We've tried following the MIT Kerberos PKINIT configuration documentation
>
> http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html
>
> generating our own certs manually with openssl but haven't had any luck.
> We're seeing this in the kdc log:
>
> preauth pkinit failed to initialize: No realms configured correctly for
> pkinit support
Which changes did you apply to krb5.conf? Did you use the IPA CA to sign
the certificate or some other CA?
>
> I've noticed there are many new pkinit-related options that have been added
> to the ipa-server-install script in 4.2.0, so it looks like PKINIT is
> available in this version of FreeIPA. Is that the case?
Which options are you referring to?
bye,
Sumit
>
> And if it is, what is the recommended way to enable it given that it seems
> to have been disabled in the original install that I did? Or would it just
> be easier to start from scratch with a 4.2.0 ipa-server-install? (It's a
> test instance that doesn't have too much in it - it will take a several
> hours to rebuild from scratch.)
>
> Regards,
>
> Nik
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list