in Kerberos
Re: Query: Need help for compiling with pkinit enabled.
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Sep 3 10:20:54 2018
To: Santosh Kumar <email@example.com>, firstname.lastname@example.org
From: Greg Hudson <email@example.com>
Date: Mon, 3 Sep 2018 10:20:33 -0400
Content-Type: text/plain; charset="us-ascii"
On 09/03/2018 07:06 AM, Santosh Kumar wrote:
> Could you please help with information how can i enable and use pkinit.
From your description, my best guess is that you need to install the
OpenSSL development files so that PKINIT can be built. You didn't
mention what platform you are on; for Debian or Ubuntu this means
installing the libssl-dev package. You can check config.log (in the
directory where you ran configure) to see if PKINIT is enabled:
configure:12841: checking for a recent enough OpenSSL
[a couple of lines of building a test program]
configure:12862: result: yes
If PKINIT is being built but still isn't working, check the KDC logs (if
you control the KDC) for a message like "preauth pkinit failed to
initialize". On the client side, use "KRB5_TRACE=/dev/stdout kinit ..."
to look for messages about PKINIT failing on the client side.
If either the KDC or the client cannot use PKINIT, kinit will prompt for
a password if the KDC also offers encrypted timestamp. If you control
the KDC and it is running MIT krb5 1.12 or later, you can disable
encrypted timestamp by removing the principal's long-term keys. See
instructions on this as well as more information about setting up PKINIT.
Kerberos mailing list Kerberos@mit.edu