On Fri, Oct 21, 2016 at 03:34:04PM -0000, niger niger wrote: > Now files downloadable, thanks. > One more question. What you meant under "If you already have a working pkinit > configuration not additional configuration is needed"? > I can run kinit, enter the password and to receive kerberos ticket, but can't > get ticket using token. Is that enough, or i need to set up reciving kerberos > ticket using token first?
In this case you have to add some options to /etc/krb5.conf. As I wrote earlier: ... you have to add at least pkinit_anchors to your /etc/krb5.conf pointing to the CA certificates. Depending on the certificate of the KDC you might need to add pkinit_kdc_hostname and pkinit_eku_checking as well. Please see man krb5.conf for details. > > PS. Maybe intresting link to add to this wiki (about cert maping, in AD) > https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTestingWithAD > > https://blogs.technet.microsoft.com/askds/2009/08/10/mapping-one-smartcard-certificate-to-multiple-accounts/ Using one certificate for multiple accounts/identities will be another feature for the next major release. I think I will create a new page for this and will add the link to the MSFT blog there. Thanks bye, Sumit > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org