OK, I finally took time to figure out what is going on with kinit -n. This is 
an issue for us because we use one-time passwords, and kinit -n is useful for 
bootstrapping kinit.

* concatenate /var/kerberos/krb5kdc/kdc.crt from all of the KDC’s, and put the 
resulting file someplace on the clients. I’m using /etc/kdc.crt.
* make sure krb5_pkinit is installed. It wasn’t on our systems, as none of the 
instructions for installing ipa client mentioned it.
* in /etc/krb5.conf change the pkinit_anchors line
 pkinit_anchors = FILE:/etc/kdc.crt

Of course you could avoid changing pkinit_anchors by putting the file in 
whatever location it currently points to.

Is this somehow automated in ipa-client-install? We recently upgraded the 
servers to 4.5 but haven’t done ipa-client-install since.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to