Currently if PKINIT is not configured, there is no fallback mechanism for FreeIPA framework to obtain armor TGT for password/2FA logins. In this case we should issue a local KDC keypair for use as a fallback mechanism only on the master (it is not expected for this to work on clients). This keypair may be either self-signed, or we may introduce a local PKINIT CA that will sign KDC keypair. This CA will be self-signed in no-PKINIT scenario, and will be replaced by a CA with the same subject and private key after full PKINIT is requested.
For more details see http://www.freeipa.org/page/V4/Kerberos_PKINIT
Metadata Update from @mbabinsk: - Issue assigned to mbabinsk
Metadata Update from @mbabinsk: - Issue priority set to: 1
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1438729
Issue linked to bug 1438729
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.5.1
master:
ipa-4-5:
Metadata Update from @jcholast: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.