Cloned from upstream: https://pagure.io/freeipa/issue/6936
Since FreeIPA 4.5 framework relies on some form of anonymous PKINIT to obtain FAST armor tickets during password auth requests, some form of PKINIT is always configured during install/upgrade.
Thus it does not make sense to maintain pkinit-anonymous subcommand. We should mark it as deprecated and make it a no-op, since locking anonymous principal can completely break password-based auth on the masters (e.g. WebUI logins).
* 24099d0f806103d8ec57d69fc97e9b4ae061bfdd Remove pkinit-anonymous command
Waiting for rebase to land in ipa-4-5 branch
[root@vm1 ~]# ipa help pkinit-anonymous
ipa: ERROR: no command nor help topic 'pkinit_anonymous'
[root@vm1 ~]# ipa pkinit-anonymous
ipa: ERROR: unknown command 'pkinit-anonymous'
[root@vm1 ~]# ipa help pkinit|grep -i anon
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.