I installed ipa-server on Centos 7.1 and later did and upgrade of the whole
system to Centos 7.2.

I think the FreeIPA version changed from 4.1.0 to 4.2.0 between these
Centos/RHEL minor releases.

We'd now like to try integrating with a 2FA provider via a radius proxy and
want to use anonymous PKINIT to secure the initial communications between
the client and the KDC.

We've tried following the MIT Kerberos PKINIT configuration documentation


generating our own certs manually with openssl but haven't had any luck.
We're seeing this in the kdc log:

    preauth pkinit failed to initialize: No realms configured correctly for
pkinit support

I've noticed there are many new pkinit-related options that have been added
to the ipa-server-install script in 4.2.0, so it looks like PKINIT is
available in this version of FreeIPA. Is that the case?

And if it is, what is the recommended way to enable it given that it seems
to have been disabled in the original install that I did? Or would it just
be easier to start from scratch with a 4.2.0 ipa-server-install? (It's a
test instance that doesn't have too much in it - it will take a several
hours to rebuild from scratch.)


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to