URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install
splashx commented: """ @simo5 done, however not successfully. It's [not really my first time](http://www.securiteam.com/securitynews/6C02X0AHGA.html) on the pkinit rodeo, so I'm wondering if FreeIPA's got something on top. I've got on freeipa for testing purposes, so not fussin with several servers. For debug purposes, I have done: /etc/kdc.conf ``` [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 + restrict_anonymous_to_tgt = true [realms] REALM.EU = { master_key_type = aes256-cts max_life = 7d max_renewable_life = 14d acl_file = /etc/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words default_principal_flags = +preauth ; admin_keytab = /etc/krb5kdc/kadm5.keytab + pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem + pkinit_eku_checking = none } ``` The anonymous user (created manually first with`-rankey`, modified with `-requires_preauth` and then later with `purgekeys -all WELLKNOWN/anonym...@realm.eu`) looks like this: ``` root@ipa01:/var/lib/krb5kdc# kadmin.local -x ipa-setup-override-restrictions Authenticating as principal admin/ad...@realm.eu with password. kadmin.local: getprinc WELLKNOWN/anonym...@realm.eu Principal: WELLKNOWN/anonym...@realm.eu Expiration date: [never] Last password change: Mon Nov 28 12:46:41 UTC 2016 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Nov 28 16:04:32 UTC 2016 (admin/ad...@realm.eu) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 0 MKey: vno 1 Attributes: Policy: [none] ``` I made sure the certificate's common name matches the fqdn, still getting: ``` root@ubuntu:~# KRB5_TRACE=/dev/stdout kinit -n [10593] 1480350802.381306: Getting initial credentials for WELLKNOWN/anonym...@realm.eu [10593] 1480350802.384075: Sending request (178 bytes) to REALM.EU [10593] 1480350802.433623: Retrying AS request with master KDC [10593] 1480350802.434688: Getting initial credentials for WELLKNOWN/anonym...@realm.eu [10593] 1480350802.435476: Sending request (178 bytes) to REALM.EU (master) [10593] 1480350802.436191: Resolving hostname kdc.domain.eu [10593] 1480350802.462072: Sending initial UDP request to dgram 10.235.2.25:88 [10593] 1480350803.465087: Resolving hostname kdc.domain.eu [10593] 1480350803.489656: Sending initial UDP request to dgram 10.235.2.25:750 [10593] 1480350804.491058: Initiating TCP connection to stream 10.235.2.25:88 [10593] 1480350804.515736: Sending TCP request to stream 10.235.2.25:88 [10593] 1480350804.547579: Received answer (269 bytes) from stream 10.235.2.25:88 [10593] 1480350804.547663: Received error from KDC: -1765328359/Additional pre-authentication required [10593] 1480350804.547708: Processing preauth types: 16, 15, 14, 136, 147, 133 [10593] 1480350804.547713: Received cookie: MIT [10593] 1480350804.547744: Preauth module pkinit (147) (info) returned: 0/Success [10593] 1480350804.547758: PKINIT client has no configured identity; giving up [10593] 1480350804.547765: Preauth module pkinit (16) (real) returned: 22/Invalid argument [10593] 1480350804.547776: PKINIT client has no configured identity; giving up [10593] 1480350804.547782: Preauth module pkinit (14) (real) returned: 22/Invalid argument [10593] 1480350804.547793: PKINIT client has no configured identity; giving up [10593] 1480350804.547798: Preauth module pkinit (14) (real) returned: 22/Invalid argument kinit: Invalid argument while getting initial credentials root@ubuntu:~# ``` Any thoughts would be helpful. Thanks in advance """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-263324302
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
