On Thu, 11 Feb 2016, Nik Lam wrote:
I've upgraded that package on both the IdM server and the (problem) client.

I haven't looked *really* closely at the logs or the trace output, but it
doesn't look like I'm getting any additional output.

However, on a whim, went to another client. This time I went to check what
version of krb5-pkinit was installed, and discovered it wasn't installed
along with the rest of the ipa-client package dependencies.

I installed the GA version of krb5-pkinit and it all just works!

[testuser@client01-756712 ~]$ kinit -n
[testuser@client01-756712 ~]$
[testuser@client01-756712 ~]$
[testuser@client01-756712 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_842000006

Valid starting       Expires              Service principal
02/10/2016 23:28:46  02/11/2016 23:28:46  krbtgt/example....@example.com
[testuser@client01-756712 ~]$
[testuser@client01-756712 ~]$
[testuser@client01-756712 ~]$ kinit -T /tmp/krb5cc_842000006 testuser
Enter OTP Token Value:
[testuser@client01-756712 ~]$
[testuser@client01-756712 ~]$
[testuser@client01-756712 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_842000006
Default principal: testu...@example.com

Valid starting       Expires              Service principal
02/10/2016 23:29:14  02/11/2016 23:29:07  krbtgt/example....@example.com
[testuser@client01-756712 ~]$

So it looks like the absence of the krb5-pkinit package was the reason why
kinit was prompting for the WELLKNOWN/ANONYMOUS password.

To confirm, all that is needed on the client's krb5.conf file is to have
pkinit_anchors pointing to a copy of the belonging to the CA that was used
to create the KDC's cert (which in our case was a self-generated one not
freeIPA/Dogtag's one).

So, I think we've got everything we need to start using it. Thanks again
for your help.

With respect to the future plans - is there anything we need to beware of
in terms of our manual creation of the WELLKNOWN/ANONYMOUS principal via
"kadmin.local -x ipa-setup-override-restrictions"?
Is freeIPA likely to have a fully-integrated anonymous PKINIT solution in
the near future? You people have done such a great job of making the rest
of this stuff easy and well-documented. Hats off to the developers (and Red
Hat for sponsoring the project).
Creating the principal will change, for sure -- we'll most likely add a
generation of it as a special command and will most likely generate it
during the install phase as well. It shouldn't be something that you
need to care about, though, the currently created principal would just

Regarding the rest, we need to discuss with MIT folks some changes to
KDB API to allow KDB drivers to receive client certificates to do actual
PKINIT with certificates which don't have specific extensions. This is
what would be driving the work even though this all might not be needed
for anonymous PKINIT by itself.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to