f90f055659
With this change it's possible to bootstrap a KDC using a client certificate with a PKINIT SAN for iprop/fqdn. Given such a certificate one could run ipropd-slave via kinit to pull down the initial copy of the HDB, then start the KDC services using the HDBGET: keytab. That should make bootstrapping new secondary KDCs very easy. One could bootstrap the KDC with such a certificate using, e.g., Safeboot (https://github.com/osresearch/safeboot), enrolling the host as a KDC.
36 KiB
36 KiB