On su, 02 joulu 2018, 74cmonty via FreeIPA-users wrote:
Actually I executed these commands before you replied on the replica
server:
[root@ipa-replica ~]# ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful
[root@ipa-replica ~]# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful
[root@ipa-replica ~]# ipa-pkinit-manage status
PKINIT is enabled
The ipa-pkinit-manage command was successful
This means I didn't delete any kdc.key / kdc.crt file.
Can you show the output
of 'getcert list -f /var/kerberos/krb5kdc/kdc.crt'
If you see something like below, then you are OK, if not, then do follow
my suggestion. Your CA must be IPA and issuer must be cn=Certificate
Authority,O=$REALM, principal name must be krbtgt/$REALM@$REALM, as well
as proper key usage and EKUs.
# getcert list -f /var/kerberos/krb5kdc/kdc.crt
Number of certificates and requests being tracked: 10.
Request ID '20181128171106':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject:
CN=echo.example.com,O=EXAMPLE.COM
expires: 2020-11-28 18:11:07 CET
principal name: krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
The files are different compared to ipa-master.
Should I repeat creating the files on replica server?
Yes, they should be different
as they stored and managed by each server
separately (note the subject in each case).
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland