Strangely, it's correct. I also just did another ipa-client-install
--request-cert and it joined correctly and placed the IPA cert in that
location. Here is the krb5.conf file
[root@gs6069-ld-i014 ~]# cat /etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = DOMAIN
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
the.dom.ain = DOMAIN
the.dom.ain = DOMAIN
host.the.dom.ain = DOMAIN
It appears to be the same file as:
# ls -la /etc/ipa/ca.crt
-rw-r--r--. 1 root root 11062 May 24 18:04 /etc/ipa/ca.crt
# ls -la /var/lib/ipa-client/pki/kdc-ca-bundle.pem
-rw-r--r--. 1 root root 11062 May 24 18:04
/var/lib/ipa-client/pki/kdc-ca-bundle.pem
And openssl x509 -in /var/lib/ipa-client/pki/kdc-ca-bundle.pem -text outputs
something that looks correct.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=DOMAIN, CN=Certificate Authority
Validity
Not Before: Aug 10 21:29:31 2012 GMT
Not After : Aug 10 21:29:31 2020 GMT
Subject: O=DOMAIN, CN=Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:bb:0e:b3:5d:cb:1a:0c:[..snip..]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:A8:..[[snip]]41
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
A8[[..snip]]
Authority Information Access:
OCSP - URI:http://another.dom.ain:80/ca/ocsp
Signature Algorithm: sha256WithRSAEncryption
The OCSP field looks like it's pointing to an outdated/retired replica. But
other than that a regular kinit username gets issued a correct kerberos ticket
just fine. It's just the smartcard cert (which is signed by an external CA
which is added to the cert list on the server) that does not verify the DH. But
I checked the server and it's successfully issuing a ticket. But the client
refuses to accept it.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
