Michael Schwartzkopff via FreeIPA-users wrote: > On 21.02.22 19:06, Sumit Bose via FreeIPA-users wrote: >> Am Fri, Feb 18, 2022 at 02:06:24PM +0100 schrieb Michael Schwartzkopff via >> FreeIPA-users: >>> Hi, >>> >>> >>> I want to use OTP for krb tickets. Plain login works as expected. When I >>> start kinit user I get the response: >>> >>> $ kinit user >>> >>> kinit: Generic preauthentication failure while getting initial credentials >>> >>> >>> I read some docs and tried: >>> >>> $ kinit -n >>> >>> Password for WELLKNOWN/[email protected]: >> Hi, >> >> looks like there is something wrong in your configuration, you shouldn't >> see a prompt at all: >> >> $ kinit -n >> $ klist >> Ticketzwischenspeicher: KCM:1000 >> Standard-Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS >> >> Valid starting Expires Service principal >> 21.02.2022 17:56:57 22.02.2022 17:10:55 krbtgt/[email protected] >> >> Most probably you do not have the CA certificates which signed the IPA >> KDC certificate added to krb5.conf on the client. >> > I just added the > > [realms] > MY.REALM = { > > (...) > pkinit_anchors = FILE\:/etc/ca-cert.pem > } > > > to my krb5.conf. > > > No change in behaviour. kinit -n still asks me for the ANONYMOUS password.
What is in /etc/ca-cert.pem? Do you have pkinit configured on the server with a user-issued certificate? I don't think you need to escape the colon after FILE. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
