On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote: > Hello, > > I installed ipa-server on Centos 7.1 and later did and upgrade of the whole > system to Centos 7.2. > > I think the FreeIPA version changed from 4.1.0 to 4.2.0 between these > Centos/RHEL minor releases. > > We'd now like to try integrating with a 2FA provider via a radius proxy and > want to use anonymous PKINIT to secure the initial communications between > the client and the KDC. > > We've tried following the MIT Kerberos PKINIT configuration documentation > > http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html > > generating our own certs manually with openssl but haven't had any luck. > We're seeing this in the kdc log: > > preauth pkinit failed to initialize: No realms configured correctly for > pkinit support
Which changes did you apply to krb5.conf? Did you use the IPA CA to sign the certificate or some other CA? > > I've noticed there are many new pkinit-related options that have been added > to the ipa-server-install script in 4.2.0, so it looks like PKINIT is > available in this version of FreeIPA. Is that the case? Which options are you referring to? bye, Sumit > > And if it is, what is the recommended way to enable it given that it seems > to have been disabled in the original install that I did? Or would it just > be easier to start from scratch with a 4.2.0 ipa-server-install? (It's a > test instance that doesn't have too much in it - it will take a several > hours to rebuild from scratch.) > > Regards, > > Nik > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
