Hello, I installed ipa-server on Centos 7.1 and later did and upgrade of the whole system to Centos 7.2.
I think the FreeIPA version changed from 4.1.0 to 4.2.0 between these Centos/RHEL minor releases. We'd now like to try integrating with a 2FA provider via a radius proxy and want to use anonymous PKINIT to secure the initial communications between the client and the KDC. We've tried following the MIT Kerberos PKINIT configuration documentation http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html generating our own certs manually with openssl but haven't had any luck. We're seeing this in the kdc log: preauth pkinit failed to initialize: No realms configured correctly for pkinit support I've noticed there are many new pkinit-related options that have been added to the ipa-server-install script in 4.2.0, so it looks like PKINIT is available in this version of FreeIPA. Is that the case? And if it is, what is the recommended way to enable it given that it seems to have been disabled in the original install that I did? Or would it just be easier to start from scratch with a 4.2.0 ipa-server-install? (It's a test instance that doesn't have too much in it - it will take a several hours to rebuild from scratch.) Regards, Nik
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project