[Freeipa-users] Re: Problem with smartcard login when otp is enabled

Hi. On 9/10/20 5:31 PM, Sumit Bose via FreeIPA-users wrote: just to be on the safe side, have you installed the krb5-pkinit package on Fedora 32? Sigh... the krb5-pkinit was somehow absent on Fedora 32. Thank you for help and sorry for the noise. Although, could SSSD somehow detect this

[Freeipa-users] Re: Problem with smartcard login when otp is enabled

On 9/10/20 6:48 PM, Radoslaw Kujawa via FreeIPA-users wrote: I will coordinate with Jan to check if it is the same problem on his Ubuntu. Indeed, all of these problems boil down to a missing krb5-pkinit package. I was confused, because even though krb5-pkinit was missing, the Smart Card

[Freeipa-users] Re: Problem with smartcard login when otp is enabled

Can you send the version of the krb5-libs package you are using on CentOS-8 and F32 as well? F32: krb5-libs-1.18.2-20.fc32.x86_64 CentOS 8: krb5-libs-1.17-18.el8.x86_64 Btw. I have downgraded SSSD to 2.2.3 on F32, but the problem persist. In my original email I have switched around SSSD

[Freeipa-users] Re: Adding subjectAltName when the certificate is signed

Hi. On 10/8/20 9:06 PM, Rob Crittenden via FreeIPA-users wrote: Radosław Kujawa via FreeIPA-users wrote: Hi list. Is it possible to add email subjectAltName to a certificate when it is being signed by the IPA? How would the profile know what e-mail to add? These certificates are treated

[Freeipa-users] Re: Adding subjectAltName when the certificate is signed

Hi. On 10/12/20 3:05 AM, Fraser Tweedale via FreeIPA-users wrote: On Thu, Oct 08, 2020 at 10:03:03PM +0200, Radoslaw Kujawa via FreeIPA-users wrote: On 10/8/20 9:06 PM, Rob Crittenden via FreeIPA-users wrote: Radosław Kujawa via FreeIPA-users wrote: Is it possible to add email

[Freeipa-users] Re: Kerberos behaviour when OTP is used

Thank you for the thorough explanation! Best regards, Radoslaw On 11/7/20 8:45 PM, Alexander Bokovoy via FreeIPA-users wrote: On ke, 04 marras 2020, Radoslaw Kujawa via FreeIPA-users wrote: Hi list. I have 2FA enabled for many users in my organization, however some of these users work

[Freeipa-users] Kerberos behaviour when OTP is used

Hi list. I have 2FA enabled for many users in my organization, however some of these users work on their own private devices and manually run kinit to obtain the TGT. I was wondering why does kinit ask to: "Enter OTP Token Value: " This message is slightly confusing. In fact, the user is

[Freeipa-users] sss_ssh_authorizedkeys vs user certificates

Hi list. I have a CentOS 8.4 machine (fully updated), where sss_ssh_authorizedkeys is successfully able to pull public keys from IPA user certificates. Recently I have installed a new Fedora 34 machine and this functionality is not working - running "sss_ssh_authorizedkeys username" only

[Freeipa-users] Re: sss_ssh_authorizedkeys vs user certificates

Hi. On 9/23/21 15:06, Sumit Bose via FreeIPA-users wrote: Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via FreeIPA-users: the keys are only derived form the certificate is the certificate can be validated. Have you copied all needed CA certificates to the new machine

[Freeipa-users] ldap_sasl_interactive_bind_s: Inappropriate authentication (48) - help debugging

Hello list. I am trying to understand a reason for certificate-based authentication failure to one of my directory servers. A have 3 IPA replicas running on CentOS 7. After running yum update on one of the nodes, PKI Tomcat failed to start. That system was not updated for last year or so,