OK, I finally took time to figure out what is going on with kinit -n. This is an issue for us because we use one-time passwords, and kinit -n is useful for bootstrapping kinit.
* concatenate /var/kerberos/krb5kdc/kdc.crt from all of the KDC’s, and put the resulting file someplace on the clients. I’m using /etc/kdc.crt. * make sure krb5_pkinit is installed. It wasn’t on our systems, as none of the instructions for installing ipa client mentioned it. * in /etc/krb5.conf change the pkinit_anchors line pkinit_anchors = FILE:/etc/kdc.crt Of course you could avoid changing pkinit_anchors by putting the file in whatever location it currently points to. Is this somehow automated in ipa-client-install? We recently upgraded the servers to 4.5 but haven’t done ipa-client-install since. _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org