Skip to content

Instantly share code, notes, and snippets.

@tiran
Last active March 18, 2021 15:41
Show Gist options
  • Save tiran/63cce990954be296edaa690d3b1b75a1 to your computer and use it in GitHub Desktop.
Save tiran/63cce990954be296edaa690d3b1b75a1 to your computer and use it in GitHub Desktop.
Create Kerberos pkinit cert for proxy

On each IPA server (server.ipa.example)

  1. Apply patch https://github.com/freeipa/freeipa/pull/5496/files (https://pagure.io/freeipa/issue/8686). on RHEL it's in /usr/lib/python3.6/site-packages/ipaserver/plugins/cert.py
  2. systemctl restart httpd.service to reload server code with patch
  3. ipa host-add proxy.ipa.example --force
  4. ipa host-add-managedby proxy.ipa.example --hosts=server.ipa.example
  5. Create /tmp/fake-kdc.update (replace proxy.ipa.example with your actual proxy name three times)
  6. Create fake KDC entry in masters configuration ipa-ldap-updater fake-kdc.update
  7. systemctl restart httpd.service
  8. request new KDC cert for server's and proxy's DNS name: ipa-getcert resubmit --wait -f /var/kerberos/krb5kdc/kdc.crt -D proxy.ipa.example -D server.ipa.example
  9. Wait until ipa-getcert list -f /var/kerberos/krb5kdc/kdc.crt shows the cert request is finished and "dns:" shows both hostnames
  10. ipactl restart

fake-kdc.update

dn: cn=proxy.ipa.example,cn=masters,cn=ipa,cn=etc,$SUFFIX
default: objectclass: top
default: objectclass: nsContainer
default: objectclass: ipaReplTopoManagedServer
default: objectClass: ipaConfigObject
default: objectClass: ipaSupportedDomainLevelConfig
default: cn: proxy.ipa.example
default: ipaMinDomainLevel: $MIN_DOMAIN_LEVEL
default: ipaMaxDomainLevel: $MAX_DOMAIN_LEVEL

dn: cn=KDC,cn=proxy.ipa.example,cn=masters,cn=ipa,cn=etc,$SUFFIX
default: objectClass: ipaConfigObject
default: objectClass: nsContainer
default: objectClass: top
default: cn: KDC
default: ipaConfigString: configuredService

On each client

  • download CA cert from IPA server to /etc/pki/krb5/ipa.example.pem
  • create /etc/krb5.conf.d/ipa_example
[realms]
 IPA.EXAMPLE = {
        kdc = https://proxy.ipa.example/KdcProxy
        pkinit_anchors = FILE:/etc/pki/krb5/ipa.example.pem
        pkinit_pool = FILE:/etc/pki/krb5/ipa.example.pem
 }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment