Hello, On our current IPA realm where we have not used 2-factor, we’ve been able to kinit to our FreeIPA realm from our laptops. All a Mac user needed to do, for example was to configure a ‘krb5.conf’ file and then ‘kinit us...@our.ipa.realm.com <mailto:us...@our.ipa.realm.com>'. This would allow us to work on our infrastructure without having to re-authenticate for the lifetime of our ticket-granting-ticket, usually the length of a work day.
We are building a new realm using 'ipa-server-4.2.0-15’ and will be requiring 2-factor for authentication. So far it works well, meaning we can ssh to a jump host enrolled in our realm and from there move to other hosts in the realm without having to re-authenticate. However, we can no longer ‘kinit’. I’ve dug around in the webs and have concluded that either this is a known issue that is not yet fixed, or perhaps someone has fixed it but not yet shared how they got this to work. How is this impacting anyone else? Does anyone have any helpful information they can share? thanks, Geordie Grindle
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project