On our current IPA realm where we have not used 2-factor, we’ve been able to 
kinit to our FreeIPA realm from our laptops.  All a Mac user needed to do, for 
example was to configure a ‘krb5.conf’ file and then ‘kinit 
us...@our.ipa.realm.com <mailto:us...@our.ipa.realm.com>'. This would allow us 
to work on our infrastructure without having to re-authenticate for the 
lifetime of our ticket-granting-ticket, usually the length of a work day.

We are building a new realm using 'ipa-server-4.2.0-15’ and will be requiring 
2-factor for authentication. So far it works well, meaning we can ssh to a jump 
host enrolled in our realm and from there move to other hosts in the realm 
without having to re-authenticate.

However, we can no longer ‘kinit’. I’ve dug around in the webs and have 
concluded that either this is a known issue that is not yet fixed, or perhaps 
someone has fixed it but not yet shared how they got this to work.

How is this impacting anyone else? Does anyone have any helpful information 
they can share?

Geordie Grindle

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to