On our current IPA realm where we have not used 2-factor, we’ve been able to
kinit to our FreeIPA realm from our laptops. All a Mac user needed to do, for
example was to configure a ‘krb5.conf’ file and then ‘kinit
us...@our.ipa.realm.com <mailto:us...@our.ipa.realm.com>'. This would allow us
to work on our infrastructure without having to re-authenticate for the
lifetime of our ticket-granting-ticket, usually the length of a work day.
We are building a new realm using 'ipa-server-4.2.0-15’ and will be requiring
2-factor for authentication. So far it works well, meaning we can ssh to a jump
host enrolled in our realm and from there move to other hosts in the realm
without having to re-authenticate.
However, we can no longer ‘kinit’. I’ve dug around in the webs and have
concluded that either this is a known issue that is not yet fixed, or perhaps
someone has fixed it but not yet shared how they got this to work.
How is this impacting anyone else? Does anyone have any helpful information
they can share?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project