OK... following your advise and delete the "old" files. Then run ipa-pkinit-manage enable and get this output: [root@ipa-replica ~]# rm /var/kerberos/krb5kdc/kdc.crt rm: reguläre Datei '/var/kerberos/krb5kdc/kdc.crt' entfernen? y [root@ipa-replica ~]# rm /var/kerberos/krb5kdc/kdc.key rm: reguläre Datei '/var/kerberos/krb5kdc/kdc.key' entfernen? y [root@ipa-replica ~]# ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE: Error 7 connecting to https://ipa-replica.biszumbitterenen.de:8443/ca/ee/ca/profileSubmitSSLClient: Couldn't connect to server.) Failed to configure PKINIT Full PKINIT configuration did not succeed The setup will only install bits essential to the server functionality You can enable PKINIT after the setup completed using 'ipa-pkinit-manage' Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successful
The relevant logfile shows this: [root@ipa-replica ~]# tail /var/log/krb5kdc.log Dez 03 09:01:46 ipa-replica.biszumbitterenen.de krb5kdc[2523](Information): Dateideskriptor 8 wird geschlossen Dez 03 09:01:46 ipa-replica.biszumbitterenen.de krb5kdc[2523](Information): Dateideskriptor 7 wird geschlossen Dez 03 09:01:46 ipa-replica.biszumbitterenen.de krb5kdc[2525](Information): Aktion wird begonnen Dez 03 09:01:46 ipa-replica.biszumbitterenen.de krb5kdc[2524](Information): Aktion wird begonnen Dez 03 09:08:48 ipa-replica.biszumbitterenen.de krb5kdc[2524](Information): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.100.201: NEEDED_PREAUTH: host/ipa-replica.biszumbitterenen...@biszumbitterenen.de für krbtgt/biszumbitterenen...@biszumbitterenen.de, zusätzlich Vorauthentifizierung erforderlich Dez 03 09:08:48 ipa-replica.biszumbitterenen.de krb5kdc[2524](Information): Dateideskriptor 11 wird geschlossen Dez 03 09:08:48 ipa-replica.biszumbitterenen.de krb5kdc[2524](Information): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.100.201: ISSUE: authtime 1543824528, etypes {rep=18 tkt=18 ses=18}, host/ipa-replica.biszumbitterenen...@biszumbitterenen.de for krbtgt/biszumbitterenen...@biszumbitterenen.de Dez 03 09:08:48 ipa-replica.biszumbitterenen.de krb5kdc[2524](Information): Dateideskriptor 11 wird geschlossen Dez 03 09:08:48 ipa-replica.biszumbitterenen.de krb5kdc[2524](Information): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.100.201: ISSUE: authtime 1543824528, etypes {rep=18 tkt=18 ses=18}, host/ipa-replica.biszumbitterenen...@biszumbitterenen.de for ldap/ipa-replica.biszumbitterenen...@biszumbitterenen.de Dez 03 09:08:48 ipa-replica.biszumbitterenen.de krb5kdc[2524](Information): Dateideskriptor 11 wird geschlossen What is causing this error? THX _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org