On Wed, Feb 10, 2016 at 02:08:55AM +1100, Nik Lam wrote:
> On Mon, Feb 8, 2016 at 11:53 PM, Sumit Bose <sb...@redhat.com> wrote:
> 
> > On Thu, Feb 04, 2016 at 07:25:29PM +1100, Nik Lam wrote:
> > > On Wed, Feb 3, 2016 at 8:08 PM, Sumit Bose <sb...@redhat.com> wrote:
> > >
> > > > On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote:
> > > > > Hello,
> > > > >
> > > > > I installed ipa-server on Centos 7.1 and later did and upgrade of the
> > > > whole
> > > > > system to Centos 7.2.
> > > > >
> > > > > I think the FreeIPA version changed from 4.1.0 to 4.2.0 between these
> > > > > Centos/RHEL minor releases.
> > > > >
> > > > > We'd now like to try integrating with a 2FA provider via a radius
> > proxy
> > > > and
> > > > > want to use anonymous PKINIT to secure the initial communications
> > between
> > > > > the client and the KDC.
> > > > >
> > > > > We've tried following the MIT Kerberos PKINIT configuration
> > documentation
> > > > >
> > > > >     http://web.mit.edu/kerberos/krb5-1.14/doc/admin/pkinit.html
> > > > >
> > > > > generating our own certs manually with openssl but haven't had any
> > luck.
> > > > > We're seeing this in the kdc log:
> > > > >
> > > > >     preauth pkinit failed to initialize: No realms configured
> > correctly
> > > > for
> > > > > pkinit support
> > > >
> > > > Which changes did you apply to krb5.conf? Did you use the IPA CA to
> > sign
> > > > the certificate or some other CA?
> > > >
> > > > >
> > > > > I've noticed there are many new pkinit-related options that have been
> > > > added
> > > > > to the ipa-server-install script in 4.2.0, so it looks like PKINIT is
> > > > > available in this version of FreeIPA. Is that the case?
> > > >
> > > > Which options are you referring to?
> > > >
> > > > bye,
> > > > Sumit
> > > >
> > > > >
> > > > > And if it is, what is the recommended way to enable it given that it
> > > > seems
> > > > > to have been disabled in the original install that I did? Or would it
> > > > just
> > > > > be easier to start from scratch with a 4.2.0 ipa-server-install?
> > (It's a
> > > > > test instance that doesn't have too much in it - it will take a
> > several
> > > > > hours to rebuild from scratch.)
> > > > >
> > > > > Regards,
> > > > >
> > > > > Nik
> > > >
> > > >
> > > >
> > > Thanks Sumit.
> > >
> > > It sounds like PKINIT is available but clearly I'm doing it wrong.
> > >
> > >  > Which changes did you apply to krb5.conf? Did you use the IPA CA to
> > sign
> > > the certificate or some other CA?
> > >
> > > Actually, I modified the kdc.conf file - placed the kdc.pem, kdckey.pem
> > and
> > > cacert.pem files in /var/kerberos/krb5kdc/ that I generated via openssl
> > > commands in the MIT Kerberos documentation. The only change to kdc.conf
> > > file was to append the location of the kdckey.pem file to
> > pkinit_identity.
> > >
> > >   pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
> > >   pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> > >
> > > became
> > >
> > >   pkinit_identity =
> > > FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem
> > >   pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> > >
> > > Should I have been modifying krb5.conf instead? It aslo sounds like I
> > need
> >
> > no, kdc.conf is the right place, I actually meant kdc.conf but
> > accidentially types krb5.conf.
> >
> > > to use a certificate signed by the IPAs CA - is this something that
> > should
> > > be generated using ipa-getcert? Or do I just find the IPA CA's private
> > key
> > > and use openssl following the MIT Kerberos documentation?
> > >
> > >  > Which options are you referring to?
> > >
> > > When I looked at the --help text for 4.1.0 and 4.2.0 versions of
> > > ipa-server-install, I noticed that 4.2.0 has these in the "certificate
> > > system options":
> > >
> > >     --no-pkinit         disables pkinit setup steps
> > >
> > >     --pkinit-cert-file=FILE
> > >                         File containing the Kerberos KDC SSL certificate
> > and
> > >                         private key
> > >
> > >     --pkinit-pin=PIN    The password to unlock the Kerberos KDC private
> > key
> > >
> > >     --pkinit-cert-name=NAME
> > >                         Name of the Kerberos KDC SSL certificate to
> > install
> > >
> > >
> > > Seeing that first one, I was a little hopeful that pkinit is enabled by
> > > default in 4.2.0 but on a fresh install I just tried, I'm still seeing
> > the
> >
> > no, unfortunately pkinit is currently disabled by default
> >
> > > following in krb5kdc.log when IPA is started up, so clearly it isn't.
> > >
> > >   (Error): preauth pkinit failed to initialize: No realms configured
> > > correctly for pkinit support
> >
> > I get the same error when I put the certificate and the key into
> > separate files. Can you try to put both into one and use this for the
> > pkinit_identity option?
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> 
> 
> Thanks Sumit, it did!
> 
> I concatenated the cert and the key into a single file and the error has
> indeed gone away from krb5kdc.log
> 
> The odd thing is that I can't reproduce the error by splitting into two
> separate files and restarting ipa.service again.
> 
> Ignoring that mystery, how do I go about setting up the WELLKNOWN/ANONYMOUS
> principal?
> 
> I'm pretty sure it's needed for anonymous pkinit:
> 
> $ kinit
> kinit: Generic preauthentication failure while getting initial credentials
> $
> 
> $ kinit -n
> kinit: Client 'WELLKNOWN/anonym...@example.com' not found in Kerberos
> database while getting initial credentials
> $
> 
> Using  kadmin per the MIT documentation doesn't seem to work (authenticated
> as an IPA admin)
> 
> # kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS'
> Authenticating as principal admin/ad...@example.com with password.
> kadmin: Client not found in Kerberos database while initializing kadmin
> interface
> #
> 
> # kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS' -p admin
> Authenticating as principal admin with password.
> Password for ad...@example.com:
> WARNING: no policy specified for WELLKNOWN/anonym...@example.com;
> defaulting to no policy
> add_principal: Operation requires ``add'' privilege while creating
> "WELLKNOWN/anonym...@example.com".
> #

Please try

    kadmin.local -x ipa-setup-override-restrictions

bye,
Sumit

> 
> Regards,
> 
> Nik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to