sudo yum install krb5-workstation
Rewrite your '/etc/krb5.conf':
includedir /etc/krb5.conf.d/
# depending on your config, you may wish to uncomment the following:
# includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = IPA.REDHAT.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
REDHAT.COM = {
default_domain = REDHAT.COM
dns_lookup_kdc = true
master_kdc = kerberos.corp.redhat.com
admin_server = kerberos.corp.redhat.com
}
#make sure to save the IPA CA cert
#mkdir /etc/ipa && curl -o /etc/ipa/ca.crt https://password.corp.redhat.com/ipa.crt
IPA.REDHAT.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
pkinit_pool = FILE:/etc/ipa/ca.crt
default_domain = ipa.redhat.com
dns_lookup_kdc = true
# Trust tickets issued by legacy realm on this host
auth_to_local = RULE:[1:$1@$0](.*@REDHAT\.COM)s/@.*//
auth_to_local = DEFAULT
}
#DO NOT ADD A [domain_realms] section
#https://mojo.redhat.com/docs/DOC-1166841
sudo apt-get install krb5-user
# depending on your config, you may wish to uncomment the following:
# includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = IPA.REDHAT.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
REDHAT.COM = {
default_domain = REDHAT.COM
dns_lookup_kdc = true
master_kdc = kerberos.corp.redhat.com
admin_server = kerberos.corp.redhat.com
}
#make sure to save the IPA CA cert
#mkdir /etc/ipa && curl -o /etc/ipa/ca.crt https://password.corp.redhat.com/ipa.crt
IPA.REDHAT.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
pkinit_pool = FILE:/etc/ipa/ca.crt
default_domain = ipa.redhat.com
dns_lookup_kdc = true
# Trust tickets issued by legacy realm on this host
auth_to_local = RULE:[1:$1@$0](.*@REDHAT\.COM)s/@.*//
auth_to_local = DEFAULT
}
#DO NOT ADD A [domain_realms] section
#https://mojo.redhat.com/docs/DOC-1166841
kinit -r 7d [email protected]
klist -f
[ndp@fedora ~]$ klist -f
Ticket cache: KCM:1000
Default principal: [email protected]
Valid starting Expires Service principal
05/04/2022 12:03:14 05/04/2022 22:03:14 krbtgt/[email protected]
renew until 05/11/2022 12:03:08, Flags: FRIA
After correct setup and executing kinit command you should not been asked to enter LDAP credentials in login forms after click on "login" button at pages below:
It could also require reopening browser to take affect of kinit command.
https://docs.engineering.redhat.com/display/Errata/ET+FAQ%3A+Login+problem+after+migrate+to+IDM
Generate keytab file https://source.redhat.com/groups/public/certification-initiatives/infrastructureinitiatives/infrastructure_initiatives_wiki/creating_keytab_file_for_kerberos_login
ktutil
ktutil: addent -password -p [email protected] -k 1 -e aes256-cts
ktutil: wkt krb5.keytab
ktutil: exit
kdestroy
kinit -k -t /home/ndp/keyb/krb5.keytab [email protected]
klist -f
https://docs.engineering.redhat.com/pages/viewpage.action?pageId=177385684