[38324] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Query: Need help for compiling with pkinit enabled.

daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Sep 3 10:20:54 2018

To: Santosh Kumar <santoshjeergi@gmail.com>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <19181fd6-658e-03e2-3e21-903a7b24c7d1@mit.edu>
Date: Mon, 3 Sep 2018 10:20:33 -0400
MIME-Version: 1.0
In-Reply-To: <CAFnsFFdPhgbeFG1NyZ=X+3qDrJL0=0Anczse8ybL1GgwOoO8qQ@mail.gmail.com>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On 09/03/2018 07:06 AM, Santosh Kumar wrote:
>   Could you please help with information how can i enable and use pkinit.

 From your description, my best guess is that you need to install the 
OpenSSL development files so that PKINIT can be built.  You didn't 
mention what platform you are on; for Debian or Ubuntu this means 
installing the libssl-dev package.  You can check config.log (in the 
directory where you ran configure) to see if PKINIT is enabled:

     configure:12841: checking for a recent enough OpenSSL
     [a couple of lines of building a test program]
     configure:12862: result: yes
     [...]
     PKINIT='yes'

If PKINIT is being built but still isn't working, check the KDC logs (if 
you control the KDC) for a message like "preauth pkinit failed to 
initialize".  On the client side, use "KRB5_TRACE=/dev/stdout kinit ..." 
to look for messages about PKINIT failing on the client side.

If either the KDC or the client cannot use PKINIT, kinit will prompt for 
a password if the KDC also offers encrypted timestamp.  If you control 
the KDC and it is running MIT krb5 1.12 or later, you can disable 
encrypted timestamp by removing the principal's long-term keys.  See 
http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html for 
instructions on this as well as more information about setting up PKINIT.
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post