On Thu, Nov 15, 2018 at 11:43:22AM +0100, Natxo Asenjo via FreeIPA-users wrote:
hi,
I found this blog post:
https://floblanc.wordpress.com/2017/06/02/troubleshooting-authentication-...
$ ipa certmap-match user.pem
successfully matches my user in the realm.
If I run
$ kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so'
user PIN:
Password for user(a)SUB.DOMAIN.TLD:
$ klist
Ticket cache: KCM:1006000001
Default principal: USER(a)SUB.DOMAIN.TLD
Valid starting Expires Service principal
15-11-18 11:34:24 16-11-18 11:34:06 krbtgt/SUB.DOMAIN.TLD(a)SUB.DOMAIN.TLD
I enter the pin code, but must enter the password as well. Then I get a
ticket. Is this normal behaviour? I would expect not to enter a password
and have my ticket, but I must admit I have no experience with pkinit so
maybe this is to be expected.
No, the PIN should be sufficient. If kinit asks for a password it means
that pkinit failed and that "normal" kinit with password is tried.
bye,
Sumit
Thanks to Florence Blanc for the blog posts, by the way, very informative.
--
regards,
Natxo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...