On Tue, Jun 04, 2019 at 09:54:45AM -0400, Robbie Harwood via FreeIPA-users
wrote:
> Khurrum Maqb via FreeIPA-users
> writes:
>
> > That worked! Thanks so much! I can login and successfully receive a
> > kerberos ticket when using a smartcard to login.
> > I also added the following to /etc/krb5
Khurrum Maqb via FreeIPA-users
writes:
> That worked! Thanks so much! I can login and successfully receive a kerberos
> ticket when using a smartcard to login.
> I also added the following to /etc/krb5.conf to match only a single cert for
> pkinit
>
> pkinit_cert_match = &&msScLogin,clientAuthd
That worked! Thanks so much! I can login and successfully receive a kerberos
ticket when using a smartcard to login.
I also added the following to /etc/krb5.conf to match only a single cert for
pkinit
pkinit_cert_match = &&msScLogin,clientAuthdigitalSignature
I am now down to 15 seconds for log
On 5/29/19 3:36 PM, Sumit Bose via FreeIPA-users wrote:
On Wed, May 29, 2019 at 01:19:19PM -, Khurrum Maqb via FreeIPA-users wrote:
They are indeed all self signed:
#openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout
issuer= /O=DOMAIN.COM/CN=server1.dom.ain
subject= /O=D
On Wed, May 29, 2019 at 01:19:19PM -, Khurrum Maqb via FreeIPA-users wrote:
> They are indeed all self signed:
>
> #openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout
> issuer= /O=DOMAIN.COM/CN=server1.dom.ain
> subject= /O=DOMAIN.COM/CN=server1.dom.ain
>
> #openssl x509 -
They are indeed all self signed:
#openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout
issuer= /O=DOMAIN.COM/CN=server1.dom.ain
subject= /O=DOMAIN.COM/CN=server1.dom.ain
#openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout
issuer= /O=DOMAIN.COM/CN=server2.dom.
On Tue, May 28, 2019 at 08:27:41PM -, Khurrum Maqb via FreeIPA-users wrote:
> Oh I see. I misunderstood the result.
>
> ]# ipa pkinit-status
> -
> 4 servers matched
> -
> Server name: server1.dom.ain
> PKINIT status: enabled
>
> Server name: server2.dom.
On Tue, May 28, 2019 at 08:43:33PM -, Khurrum Maqb via FreeIPA-users wrote:
> I apologize for the successive emails.
>
> FYI, the OCSP + the Server Cert error goes away and the CA starts responding
> after I turn NSSOCSP off in /etc/httpd/conf.d/nss.conf
ah, iirc you mentioned earlier that
I apologize for the successive emails.
FYI, the OCSP + the Server Cert error goes away and the CA starts responding
after I turn NSSOCSP off in /etc/httpd/conf.d/nss.conf
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubs
Nothing is expired
# getcert list | grep expires
expires: 2020-08-04 18:40:09 UTC
expires: 2020-08-04 18:40:14 UTC
expires: 2020-07-06 04:26:59 UTC
expires: 2020-07-06 04:21:02 UTC
expires: 2020-07-06 04:22:18 UTC
expires: 2020-07-06 04:25:55 UTC
Oh I see. I misunderstood the result.
]# ipa pkinit-status
-
4 servers matched
-
Server name: server1.dom.ain
PKINIT status: enabled
Server name: server2.dom.ain
PKINIT status: enabled
Server name: server3.dom.ain
PKINIT status: enabled
Server name
On Tue, May 28, 2019 at 04:37:25PM -, Khurrum Maqb via FreeIPA-users wrote:
> Thanks!
>
> So on the IPA server that is listed in the client's /etc/ipa/default file I
> ran:
>
> # openssl verify -verbose -CAfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem
> /var/kerberos/krb5kdc/kdc.crt
> /va
Thanks!
So on the IPA server that is listed in the client's /etc/ipa/default file I ran:
# openssl verify -verbose -CAfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem
/var/kerberos/krb5kdc/kdc.crt
/var/kerberos/krb5kdc/kdc.crt: O = DOMAIN.COM, CN = ipa-server.do.ma.in
error 18 at 0 depth lookup:s
On 5/24/19 6:12 PM, Khurrum Maqb via FreeIPA-users wrote:
We're running IPA 4.6.4-10.el7 with a CA over 4 replicas on Centos7 and would
like to properly configure smartcard authentication. The smartcards that we're
using have been signed by an External CA controlled by a different entity. So
t
On Fri, May 24, 2019 at 10:30:15PM -, Khurrum Maqb via FreeIPA-users wrote:
> Strangely, it's correct. I also just did another ipa-client-install
> --request-cert and it joined correctly and placed the IPA cert in that
> location. Here is the krb5.conf file
>
> [root@gs6069-ld-i014 ~]# cat /
Strangely, it's correct. I also just did another ipa-client-install
--request-cert and it joined correctly and placed the IPA cert in that
location. Here is the krb5.conf file
[root@gs6069-ld-i014 ~]# cat /etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedi
On Fri, May 24, 2019 at 07:30:53PM -, Khurrum Maqb via FreeIPA-users wrote:
> And if I specify the card LABEL:
>
>
>
>
> # KRB5_TRACE=/dev/stdout kinit -X
> X509_user_identity='PKCS11:opensc-pkcs11.so:certlabel=Certificate for PIV
> Authentication' username
> [22278] 1558726069.978962: Ge
And if I specify the card LABEL:
# KRB5_TRACE=/dev/stdout kinit -X
X509_user_identity='PKCS11:opensc-pkcs11.so:certlabel=Certificate for PIV
Authentication' username
[22278] 1558726069.978962: Getting initial credentials for username@DOMAIN
[22278] 1558726069.978964: Sending unauthenticated r
Thank you very much for the response, Sumit.
> Can you send the full output of
>
> KRB5_TRACE=/dev/stdout kinit -X
> X509_user_identity='PKCS11:opensc-pkcs11.so'
> username
Here it is. There are indeed 9 certs on the smartcard and the card auth cert is
at location 01
# KRB5_TRACE=/dev/s
On Fri, May 24, 2019 at 04:12:20PM -, Khurrum Maqb via FreeIPA-users wrote:
> We're running IPA 4.6.4-10.el7 with a CA over 4 replicas on Centos7 and would
> like to properly configure smartcard authentication. The smartcards that
> we're using have been signed by an External CA controlled by
20 matches
Mail list logo