Michael Schwartzkopff via FreeIPA-users wrote: > On 21.02.22 20:58, Rob Crittenden wrote: >> Michael Schwartzkopff via FreeIPA-users wrote: >>> On 21.02.22 19:06, Sumit Bose via FreeIPA-users wrote: >>>> Am Fri, Feb 18, 2022 at 02:06:24PM +0100 schrieb Michael >>>> Schwartzkopff via FreeIPA-users: >>>>> Hi, >>>>> >>>>> >>>>> I want to use OTP for krb tickets. Plain login works as expected. >>>>> When I >>>>> start kinit user I get the response: >>>>> >>>>> $ kinit user >>>>> >>>>> kinit: Generic preauthentication failure while getting initial >>>>> credentials >>>>> >>>>> >>>>> I read some docs and tried: >>>>> >>>>> $ kinit -n >>>>> >>>>> Password for WELLKNOWN/[email protected]: >>>> Hi, >>>> >>>> looks like there is something wrong in your configuration, you >>>> shouldn't >>>> see a prompt at all: >>>> >>>> $ kinit -n >>>> $ klist >>>> Ticketzwischenspeicher: KCM:1000 >>>> Standard-Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS >>>> >>>> Valid starting Expires Service principal >>>> 21.02.2022 17:56:57 22.02.2022 17:10:55 krbtgt/[email protected] >>>> >>>> Most probably you do not have the CA certificates which signed the IPA >>>> KDC certificate added to krb5.conf on the client. >>>> >>> I just added the >>> >>> [realms] >>> MY.REALM = { >>> >>> (...) >>> pkinit_anchors = FILE\:/etc/ca-cert.pem >>> } >>> >>> >>> to my krb5.conf. >>> >>> >>> No change in behaviour. kinit -n still asks me for the ANONYMOUS >>> password. >> What is in /etc/ca-cert.pem? Do you have pkinit configured on the server >> with a user-issued certificate? >> >> I don't think you need to escape the colon after FILE. >> >> rob >> > /etc/ca-cert.pem ist the certificate of our CA. The CA is managed by > FreeIPA.
I asked because this is not the typical location for the IPA CA. In any case, I wonder if you have pkinit enabled at all. Run: ipa-pkinit-manage status ipa-pkinit-manage enable if it isn't. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
