Chapter 52. Kerberos PKINIT authentication in IdM
Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) is a preauthentication mechanism for Kerberos. The Identity Management (IdM) server includes a mechanism for Kerberos PKINIT authentication.
52.1. Default PKINIT configuration
The default PKINIT configuration on your IdM servers depends on the certificate authority (CA) configuration.
CA configuration | PKINIT configuration |
---|---|
Without a CA, no external PKINIT certificate provided | Local PKINIT: IdM only uses PKINIT for internal purposes on servers. |
Without a CA, external PKINIT certificate provided to IdM | IdM configures PKINIT by using the external Kerberos key distribution center (KDC) certificate and CA certificate. |
With an Integrated CA | IdM configures PKINIT by using the certificate signed by the IdM CA. |
52.2. Displaying the current PKINIT configuration
IdM provides multiple commands you can use to query the PKINIT configuration in your domain.
Procedure
To determine the PKINIT status in your domain, use the
ipa pkinit-status
command:$ ipa pkinit-status Server name: server1.example.com PKINIT status: enabled [...output truncated...] Server name: server2.example.com PKINIT status: disabled [...output truncated...]
The command displays the PKINIT configuration status as
enabled
ordisabled
:-
enabled
: PKINIT is configured using a certificate signed by the integrated IdM CA or an external PKINIT certificate. -
disabled
: IdM only uses PKINIT for internal purposes on IdM servers.
-
To list the IdM servers with active Kerberos key distribution centers (KDCs) that support PKINIT for IdM clients, use the
ipa config-show
command on any server:$ ipa config-show Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers [...output truncated...] IPA masters capable of PKINIT: server1.example.com [...output truncated...]
52.3. Configuring PKINIT in IdM
If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the --no-pkinit
option with the ipa-server-install
or ipa-replica-install
utilities.
Prerequisites
- Ensure that all IdM servers with a certificate authority (CA) installed are running on the same domain level.
Procedure
Check if PKINIT is enabled on the server:
# kinit admin Password for admin@IDM.EXAMPLE.COM: # ipa pkinit-status --server=server.idm.example.com 1 server matched ---------------- Server name: server.idm.example.com PKINIT status:enabled ---------------------------- Number of entries returned 1 ----------------------------
If PKINIT is disabled, you will see the following output:
# ipa pkinit-status --server server.idm.example.com ----------------- 0 servers matched ----------------- ---------------------------- Number of entries returned 0 ----------------------------
You can also use the command to find all the servers where PKINIT is enabled if you omit the
--server <server_fqdn>
parameter.If you are using IdM without CA:
On the IdM server, install the CA certificate that signed the Kerberos key distribution center (KDC) certificate:
# ipa-cacert-manage install -t CT,C,C ca.pem
To update all IPA hosts, repeat the
ipa-certupdate
command on all replicas and clients:# ipa-certupdate
Check if the CA certificate has already been added using the
ipa-cacert-manage list
command. For example:# ipa-cacert-manage list CN=CA,O=Example Organization The ipa-cacert-manage command was successful
Use the
ipa-server-certinstall
utility to install an external KDC certificate. The KDC certificate must meet the following conditions:-
It is issued with the common name
CN=fully_qualified_domain_name,certificate_subject_base
. -
It includes the Kerberos principal
krbtgt/REALM_NAME@REALM_NAME
. It contains the Object Identifier (OID) for KDC authentication:
1.3.6.1.5.2.3.5.
# ipa-server-certinstall --kdc kdc.pem kdc.key # systemctl restart krb5kdc.service
-
It is issued with the common name
See your PKINIT status:
# ipa pkinit-status Server name: server1.example.com PKINIT status: enabled [...output truncated...] Server name: server2.example.com PKINIT status: disabled [...output truncated...]
If you are using IdM with a CA certificate, enable PKINIT as follows:
# ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successful
If you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA.
Additional resources
-
ipa-server-certinstall(1)
man page on your system
52.4. Additional resources
- For details on Kerberos PKINIT, PKINIT configuration in the MIT Kerberos Documentation.