On ke, 01 marras 2017, Charles Hedrick via FreeIPA-users wrote:
I understood that kinit -n is supposed to work with IPA 4.5. I have a
server upgraded from 4.4 to 4.5. kinit -n prompts for a password.
What needs to be true on client and server for this to work?
What needs to be done depends on what setup do you have.
Run 'ipa-pkinit-manage status' to see what is the current status.
For integrated IPA CA:
- Run 'ipa-pkinit-manage enable' to enable PKINIT KDC certificate. You
need to do so on all IPA 4.5 servers. Preferably do upgrade all
servers to 4.5 as mix between KDCs would create a lot of confusion.
For CA-less setup:
- IPA would be unable to issue KDC certificates automatically in this
case, so it would only issue self-signed KDC cert on each IPA master
for the purpose of internal Web UI usage.
- Use 'ipa-server-certinstall' to install KDC certificate issued by
your external CA. Use instructions on
generate KDC certificate request and sign it by your CA.
For both cases:
- Make sure your clients trust CA which issued KDC certificate. By
default, IPA clients are configured to trust IPA CA in
pkinit_anchors = FILE:/etc/ipa/ca.crt
If you are using different CA, you need to make sure this line
mentions a proper CA certificate.
- run 'ipa-server-upgrade' to make sure all remaining parts are
- Don't forget to restart IPA on each updated master.
/ Alexander Bokovoy
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org