[Freeipa-users] PKINIT support in FreeIPA 4.2.0

Alexander Bokovoy abokovoy at redhat.com
Thu Feb 11 08:42:19 UTC 2016 

On Thu, 11 Feb 2016, Nik Lam wrote:
>I've upgraded that package on both the IdM server and the (problem) client.
>
>I haven't looked *really* closely at the logs or the trace output, but it
>doesn't look like I'm getting any additional output.
>
>However, on a whim, went to another client. This time I went to check what
>version of krb5-pkinit was installed, and discovered it wasn't installed
>along with the rest of the ipa-client package dependencies.
>
>I installed the GA version of krb5-pkinit and it all just works!
>
>[testuser at client01-756712 ~]$ kinit -n
>[testuser at client01-756712 ~]$
>[testuser at client01-756712 ~]$
>[testuser at client01-756712 ~]$ klist
>Ticket cache: FILE:/tmp/krb5cc_842000006
>Default principal: WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS
>
>Valid starting       Expires              Service principal
>02/10/2016 23:28:46  02/11/2016 23:28:46  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>[testuser at client01-756712 ~]$
>[testuser at client01-756712 ~]$
>[testuser at client01-756712 ~]$ kinit -T /tmp/krb5cc_842000006 testuser
>Enter OTP Token Value:
>[testuser at client01-756712 ~]$
>[testuser at client01-756712 ~]$
>[testuser at client01-756712 ~]$ klist
>Ticket cache: FILE:/tmp/krb5cc_842000006
>Default principal: testuser at EXAMPLE.COM
>
>Valid starting       Expires              Service principal
>02/10/2016 23:29:14  02/11/2016 23:29:07  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>[testuser at client01-756712 ~]$
>
>So it looks like the absence of the krb5-pkinit package was the reason why
>kinit was prompting for the WELLKNOWN/ANONYMOUS password.
>
>To confirm, all that is needed on the client's krb5.conf file is to have
>pkinit_anchors pointing to a copy of the belonging to the CA that was used
>to create the KDC's cert (which in our case was a self-generated one not
>freeIPA/Dogtag's one).
>
>So, I think we've got everything we need to start using it. Thanks again
>for your help.
>
>With respect to the future plans - is there anything we need to beware of
>in terms of our manual creation of the WELLKNOWN/ANONYMOUS principal via
>"kadmin.local -x ipa-setup-override-restrictions"?
>Is freeIPA likely to have a fully-integrated anonymous PKINIT solution in
>the near future? You people have done such a great job of making the rest
>of this stuff easy and well-documented. Hats off to the developers (and Red
>Hat for sponsoring the project).
Creating the principal will change, for sure -- we'll most likely add a
generation of it as a special command and will most likely generate it
during the install phase as well. It shouldn't be something that you
need to care about, though, the currently created principal would just
work.

Regarding the rest, we need to discuss with MIT folks some changes to
KDB API to allow KDB drivers to receive client certificates to do actual
PKINIT with certificates which don't have specific extensions. This is
what would be driving the work even though this all might not be needed
for anonymous PKINIT by itself.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list