Hi Alexander, I followed your instructions, and this is how far I got:
1. User is listed on the IPA server under: Identity > ID Views > Default Trust View: [email protected] 2. SSH to the client using my AD credentials 3. I run: $ kinit [email protected] Password for [email protected]: 4. Generated key and CSR using openssl > myreq.csr 5. Run: $ ipa cert-request myreq.csr Principal: [email protected] ipa: ERROR: The realm for the principal does not match the realm for this IPA server. $ klist Ticket cache: KCM:176...1680:95288 Default principal: [email protected] Valid starting Expires Service principal 26/02/22 03:12:04 26/02/22 13:04:54 HTTP/[email protected] 26/02/22 03:04:54 26/02/22 13:04:54 krbtgt/[email protected] renew until 01/03/22 03:04:45 26/02/22 03:12:04 26/02/22 13:04:54 krbtgt/[email protected] Where idm.ourdmoain.local is the IPA server; ca.idm.ourdomain.local is the client; OURDMAIN.LOCAL is our AD domain. Is this the error you were expecting? I don't fully understand the error message. Does it have to do with the CSR? The Subject contains the same O= as the IPA Server... Does it need a specific format? The Sub-CA has the following Subject: CN=VPN CA,O=Company Name,O=OURDMAIN.LOCAL,ST=OurRegion, L = OurLocality And the CSR: C = CO, ST = OurRegion, L = OurLocality, O = Company Name, OU = IT, CN = User Full Name, emailAddress = [email protected] Thanks again for your invaluable help! Pedro. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
