Strangely, it's correct. I also just did another ipa-client-install --request-cert and it joined correctly and placed the IPA cert in that location. Here is the krb5.conf file
[root@gs6069-ld-i014 ~]# cat /etc/krb5.conf #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = DOMAIN dns_lookup_realm = true dns_lookup_kdc = true rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] DOMAIN = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] the.dom.ain = DOMAIN the.dom.ain = DOMAIN host.the.dom.ain = DOMAIN It appears to be the same file as: # ls -la /etc/ipa/ca.crt -rw-r--r--. 1 root root 11062 May 24 18:04 /etc/ipa/ca.crt # ls -la /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. 1 root root 11062 May 24 18:04 /var/lib/ipa-client/pki/kdc-ca-bundle.pem And openssl x509 -in /var/lib/ipa-client/pki/kdc-ca-bundle.pem -text outputs something that looks correct. Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: O=DOMAIN, CN=Certificate Authority Validity Not Before: Aug 10 21:29:31 2012 GMT Not After : Aug 10 21:29:31 2020 GMT Subject: O=DOMAIN, CN=Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d0:bb:0e:b3:5d:cb:1a:0c:[..snip..] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:A8:..[[snip]]41 X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Certificate Sign, CRL Sign X509v3 Subject Key Identifier: A8[[..snip]] Authority Information Access: OCSP - URI:http://another.dom.ain:80/ca/ocsp Signature Algorithm: sha256WithRSAEncryption The OCSP field looks like it's pointing to an outdated/retired replica. But other than that a regular kinit username gets issued a correct kerberos ticket just fine. It's just the smartcard cert (which is signed by an external CA which is added to the cert list on the server) that does not verify the DH. But I checked the server and it's successfully issuing a ticket. But the client refuses to accept it. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org