On ke, 01 marras 2017, Charles Hedrick via FreeIPA-users wrote:
I understood that kinit -n is supposed to work with IPA 4.5. I have a
server upgraded from 4.4 to 4.5. kinit -n prompts for a password.

What needs to be true on client and server for this to work?
What needs to be done depends on what setup do you have.

Run 'ipa-pkinit-manage status' to see what is the current status.

For integrated IPA CA:
- Run 'ipa-pkinit-manage enable' to enable PKINIT KDC certificate. You
  need to do so on all IPA 4.5 servers. Preferably do upgrade all
  servers to 4.5 as mix between KDCs would create a lot of confusion.

For CA-less setup:
- IPA would be unable to issue KDC certificates automatically in this
  case, so it would only issue self-signed KDC cert on each IPA master
  for the purpose of internal Web UI usage.

- Use 'ipa-server-certinstall' to install KDC certificate issued by
your external CA. Use instructions on https://web.mit.edu/kerberos/krb5-1.15/doc/admin/pkinit.html to
  generate KDC certificate request and sign it by your CA.

For both cases:

- Make sure your clients trust CA which issued KDC certificate. By
  default, IPA clients are configured to trust IPA CA in
  /etc/krb5.conf:

     pkinit_anchors = FILE:/etc/ipa/ca.crt

  If you are using different CA, you need to make sure this line
  mentions a proper CA certificate.

- run 'ipa-server-upgrade' to make sure all remaining parts are
  created too.

- Don't forget to restart IPA on each updated master.

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
  • [Freeipa-users] kinit -n Charles Hedrick via FreeIPA-users
    • [Freeipa-users] Re: kinit -n Alexander Bokovoy via FreeIPA-users

Reply via email to