IPA client installation with PKINIT ipa-client-install --pkinit-identity ... can block if PKINIT authentication fails. The issue can occur when the KDC refuses the certs or the CA trust chain is incomplete. On authentication error kinit asks the user to supply a password instead. This blocks ipa-client-install even in unattended installation module.
ipa-client-install --pkinit-identity ...
kinit
ipa-client-install
ipa-client-install --pkinit-identity
/var/log/ipaclient-install.log
The client installer blocks in kinit_pkinit() call. The last line in the installer is ['/usr/bin/kinit', ...].
kinit_pkinit()
['/usr/bin/kinit', ...]
The installer should fail immediately.
All Fedora and RHEL versions with 4.9.11+ and 4.10.1+ are affected
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6707
master:
ipa-4-9:
ipa-4-10:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.