Michael Schwartzkopff via FreeIPA-users wrote:
> On 21.02.22 20:58, Rob Crittenden wrote:
>> Michael Schwartzkopff via FreeIPA-users wrote:
>>> On 21.02.22 19:06, Sumit Bose via FreeIPA-users wrote:
>>>> Am Fri, Feb 18, 2022 at 02:06:24PM +0100 schrieb Michael
>>>> Schwartzkopff via FreeIPA-users:
>>>>> Hi,
>>>>>
>>>>>
>>>>> I want to use OTP for krb tickets. Plain login works as expected.
>>>>> When I
>>>>> start kinit user I get the response:
>>>>>
>>>>> $ kinit user
>>>>>
>>>>> kinit: Generic preauthentication failure while getting initial
>>>>> credentials
>>>>>
>>>>>
>>>>> I read some docs and tried:
>>>>>
>>>>> $ kinit -n
>>>>>
>>>>> Password for WELLKNOWN/[email protected]:
>>>> Hi,
>>>>
>>>> looks like there is something wrong in your configuration, you
>>>> shouldn't
>>>> see a prompt at all:
>>>>
>>>>      $ kinit -n
>>>>      $ klist
>>>>      Ticketzwischenspeicher: KCM:1000
>>>>      Standard-Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
>>>>
>>>>      Valid starting       Expires              Service principal
>>>>      21.02.2022 17:56:57  22.02.2022 17:10:55  krbtgt/[email protected]
>>>>
>>>> Most probably you do not have the CA certificates which signed the IPA
>>>> KDC certificate added to krb5.conf on the client.
>>>>
>>> I just added the
>>>
>>> [realms]
>>>         MY.REALM = {
>>>
>>>                 (...)
>>>                 pkinit_anchors = FILE\:/etc/ca-cert.pem
>>>         }
>>>
>>>
>>> to my krb5.conf.
>>>
>>>
>>> No change in behaviour. kinit -n still asks me for the ANONYMOUS
>>> password.
>> What is in /etc/ca-cert.pem? Do you have pkinit configured on the server
>> with a user-issued certificate?
>>
>> I don't think you need to escape the colon after FILE.
>>
>> rob
>>
> /etc/ca-cert.pem ist the certificate of our CA. The CA is managed by
> FreeIPA.

I asked because this is not the typical location for the IPA CA.

In any case, I wonder if you have pkinit enabled at all. Run:
ipa-pkinit-manage status

ipa-pkinit-manage enable if it isn't.

rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to