It seems that we have an incomplete pkinit configuration in krb5.conf on the server that renders this line in the kdc log.
Aug 13 14:03:25 <host> krb5kdc8425: preauth pkinit failed to initialize: No realms configured correctly for pkinit support
Here is the suspicious line in the krb5.conf
pkinit_anchors = FILE:/etc/ipa/ca.crt
As per information from Simo, this line is there on purpose to have clients prepared for PKINIT when FreeIPA server supports it.
As we plan to do PKINIT on the server, we will leave the line there.
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.