OK, I finally took time to figure out what is going on with kinit -n. This is
an issue for us because we use one-time passwords, and kinit -n is useful for
* concatenate /var/kerberos/krb5kdc/kdc.crt from all of the KDC’s, and put the
resulting file someplace on the clients. I’m using /etc/kdc.crt.
* make sure krb5_pkinit is installed. It wasn’t on our systems, as none of the
instructions for installing ipa client mentioned it.
* in /etc/krb5.conf change the pkinit_anchors line
pkinit_anchors = FILE:/etc/kdc.crt
Of course you could avoid changing pkinit_anchors by putting the file in
whatever location it currently points to.
Is this somehow automated in ipa-client-install? We recently upgraded the
servers to 4.5 but haven’t done ipa-client-install since.
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org