In mixed FreeIPA topologies (pre 4.5 and 4.5 masters) it may be useful to have a tool reporting masters which have PKINIT enabled. This could greatly simplify troubleshooting in cases when some of the clients attempt to request TGT via PKINIT and fail (maybe due to resolving a old KDC that does not understand PKINIT yet).
Since PKINIT is an attribute of KDC shared by multiple masters, we may reuse the Server-Roles API (after slight modifications) to report PKINIT status based on pkinitEnabled value set on KDC entry's ipaConfigString. This can be reported in ipaconfig and we can also provide a dedicated ipa pkinit-status command to retrieve this info.
ipa pkinit-status
Metadata Update from @pvoborni: - Issue priority set to: blocker - Issue set to the milestone: FreeIPA 4.5.1
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1449523
Issue linked to bug 1449523
Metadata Update from @pvoborni: - Issue assigned to mbabinsk
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)
FreeIPA 4.5.2
ipa-4-5:
pkinit-status
master:
Metadata Update from @mbabinsk: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.