URL: https://github.com/freeipa/freeipa/pull/758 Title: #758: install: fix CA-less PKINIT
stlaz commented: """ External CA (rebased on current master to be able to install): ``` $ kinit -n kinit: Invalid certificate while getting initial credentials $ /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_9588 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/kerberos/krb5kdc/cacert.pem kinit: Invalid certificate while getting initial credentials ``` and on replica: ``` $ kinit -n kinit: Preauthentication failed while getting initial credentials ``` => this breaks WebUI on external CA installations. ================================= CA-less with `--no-pkinit`: ``` $ kinit -n kinit: Preauthentication failed while getting initial credentials ``` but I guess that's expected, WebUI works since the following does work as well: ``` $ /usr/bin/kinit -n -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/kerberos/krb5kdc/cacert.pem ``` ================================= In CA-less with PKINIT options, `kinit -n` works fine, although replica installation will produce: ``` Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT ipa : ERROR PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE) ipa : ERROR Failed to configure PKINIT Done configuring Kerberos KDC (krb5kdc). ``` when run with own PKINIT certificate from `--pkinit-cert-file` option. I don't think it should be asking any CA for a certificate if we already have the certificate. """ See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-300097018
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
