On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote:
> Hello,
> 
> I installed ipa-server on Centos 7.1 and later did and upgrade of the whole
> system to Centos 7.2.
> 
> I think the FreeIPA version changed from 4.1.0 to 4.2.0 between these
> Centos/RHEL minor releases.
> 
> We'd now like to try integrating with a 2FA provider via a radius proxy and
> want to use anonymous PKINIT to secure the initial communications between
> the client and the KDC.
> 
> We've tried following the MIT Kerberos PKINIT configuration documentation
> 
>     http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html
> 
> generating our own certs manually with openssl but haven't had any luck.
> We're seeing this in the kdc log:
> 
>     preauth pkinit failed to initialize: No realms configured correctly for
> pkinit support

Which changes did you apply to krb5.conf? Did you use the IPA CA to sign
the certificate or some other CA?

> 
> I've noticed there are many new pkinit-related options that have been added
> to the ipa-server-install script in 4.2.0, so it looks like PKINIT is
> available in this version of FreeIPA. Is that the case?

Which options are you referring to?

bye,
Sumit

> 
> And if it is, what is the recommended way to enable it given that it seems
> to have been disabled in the original install that I did? Or would it just
> be easier to start from scratch with a 4.2.0 ipa-server-install? (It's a
> test instance that doesn't have too much in it - it will take a several
> hours to rebuild from scratch.)
> 
> Regards,
> 
> Nik

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to