[Freeipa-users] PKINIT support in FreeIPA 4.2.0

Sumit Bose sbose at redhat.com
Mon Feb 8 12:53:41 UTC 2016 

On Thu, Feb 04, 2016 at 07:25:29PM +1100, Nik Lam wrote:
> On Wed, Feb 3, 2016 at 8:08 PM, Sumit Bose <sbose at redhat.com> wrote:
> 
> > On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote:
> > > Hello,
> > >
> > > I installed ipa-server on Centos 7.1 and later did and upgrade of the
> > whole
> > > system to Centos 7.2.
> > >
> > > I think the FreeIPA version changed from 4.1.0 to 4.2.0 between these
> > > Centos/RHEL minor releases.
> > >
> > > We'd now like to try integrating with a 2FA provider via a radius proxy
> > and
> > > want to use anonymous PKINIT to secure the initial communications between
> > > the client and the KDC.
> > >
> > > We've tried following the MIT Kerberos PKINIT configuration documentation
> > >
> > >     http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html
> > >
> > > generating our own certs manually with openssl but haven't had any luck.
> > > We're seeing this in the kdc log:
> > >
> > >     preauth pkinit failed to initialize: No realms configured correctly
> > for
> > > pkinit support
> >
> > Which changes did you apply to krb5.conf? Did you use the IPA CA to sign
> > the certificate or some other CA?
> >
> > >
> > > I've noticed there are many new pkinit-related options that have been
> > added
> > > to the ipa-server-install script in 4.2.0, so it looks like PKINIT is
> > > available in this version of FreeIPA. Is that the case?
> >
> > Which options are you referring to?
> >
> > bye,
> > Sumit
> >
> > >
> > > And if it is, what is the recommended way to enable it given that it
> > seems
> > > to have been disabled in the original install that I did? Or would it
> > just
> > > be easier to start from scratch with a 4.2.0 ipa-server-install? (It's a
> > > test instance that doesn't have too much in it - it will take a several
> > > hours to rebuild from scratch.)
> > >
> > > Regards,
> > >
> > > Nik
> >
> >
> >
> Thanks Sumit.
> 
> It sounds like PKINIT is available but clearly I'm doing it wrong.
> 
>  > Which changes did you apply to krb5.conf? Did you use the IPA CA to sign
> the certificate or some other CA?
> 
> Actually, I modified the kdc.conf file - placed the kdc.pem, kdckey.pem and
> cacert.pem files in /var/kerberos/krb5kdc/ that I generated via openssl
> commands in the MIT Kerberos documentation. The only change to kdc.conf
> file was to append the location of the kdckey.pem file to pkinit_identity.
> 
>   pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
>   pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> 
> became
> 
>   pkinit_identity =
> FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem
>   pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> 
> Should I have been modifying krb5.conf instead? It aslo sounds like I need

no, kdc.conf is the right place, I actually meant kdc.conf but
accidentially types krb5.conf.

> to use a certificate signed by the IPAs CA - is this something that should
> be generated using ipa-getcert? Or do I just find the IPA CA's private key
> and use openssl following the MIT Kerberos documentation?
> 
>  > Which options are you referring to?
> 
> When I looked at the --help text for 4.1.0 and 4.2.0 versions of
> ipa-server-install, I noticed that 4.2.0 has these in the "certificate
> system options":
> 
>     --no-pkinit         disables pkinit setup steps
> 
>     --pkinit-cert-file=FILE
>                         File containing the Kerberos KDC SSL certificate and
>                         private key
> 
>     --pkinit-pin=PIN    The password to unlock the Kerberos KDC private key
> 
>     --pkinit-cert-name=NAME
>                         Name of the Kerberos KDC SSL certificate to install
> 
> 
> Seeing that first one, I was a little hopeful that pkinit is enabled by
> default in 4.2.0 but on a fresh install I just tried, I'm still seeing the

no, unfortunately pkinit is currently disabled by default

> following in krb5kdc.log when IPA is started up, so clearly it isn't.
> 
>   (Error): preauth pkinit failed to initialize: No realms configured
> correctly for pkinit support

I get the same error when I put the certificate and the key into
separate files. Can you try to put both into one and use this for the
pkinit_identity option?

HTH

bye,
Sumit

> 
> Regards,
> 
> Nik

More information about the Freeipa-users mailing list