On pe, 10 marras 2017, Charles Hedrick via FreeIPA-users wrote:
OK, I finally took time to figure out what is going on with kinit -n.
This is an issue for us because we use one-time passwords, and kinit -n
is useful for bootstrapping kinit.
* concatenate /var/kerberos/krb5kdc/kdc.crt from all of the KDC’s, and put the
resulting file someplace on the clients. I’m using /etc/kdc.crt.
* make sure krb5_pkinit is installed. It wasn’t on our systems, as none of the
instructions for installing ipa client mentioned it.
* in /etc/krb5.conf change the pkinit_anchors line
pkinit_anchors = FILE:/etc/kdc.crt
Of course you could avoid changing pkinit_anchors by putting the file
in whatever location it currently points to.
Is this somehow automated in ipa-client-install? We recently upgraded
the servers to 4.5 but haven’t done ipa-client-install since.
If you are using 4.5 with integrated CA, most likely you have it working
already. If you are not using integrated CA, things are different.
When you install freeIPA 4.5 with --no-pkinit, the installer will
generate self-signed certificate for PKINIT. This certificate is only
used and trusted by IPA Web UI running on the same server to obtain an
anonymous ticket.
How to upgrade that certificate to a full-featured PKINIT KDC
certificate depends on what is your CA.
A new tool, ipa-pkinit-manage, exists in freeIPA 4.5
ipa-pkinit-manage status
will tell you current status. "Enabled" means you have properly working
PKINIT infrastructure on this system. "Disabled" means you only have
self-signed PKINIT.
ipa-pkinit-manage enable
will try to request PKINIT KDC certificate from freeIPA CA. You should make
sure that all freeIPA CAs are at the same level (4.5+) before running
this command.
If you are not using freeIPA CA (external CA is in use), the tool will tell
you to use ipa-server-certinstall to install an externally procured KDC
certificate. That certificate should have following properties:
- it be issued with CN=fqdn,$SUBJECT_BASE
- it should have Kerberos principal krbtgt/REALM@REALM
- it should have id-pkinit-KPkdc OID (1.3.6.1.5.2.3.5)
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
