[38325] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Query: Need help for compiling with pkinit enabled.

daemon@ATHENA.MIT.EDU (Santosh Kumar)
Mon Sep 3 12:29:08 2018

MIME-Version: 1.0
In-Reply-To: <1535985622997.749009433@boxbe>
From: Santosh Kumar <santoshjeergi@gmail.com>
Date: Mon, 3 Sep 2018 21:58:25 +0530
Message-ID: <CAFnsFFeJy2R7R7q09T38KV6rvsUhwaqtHDxQJJXF94ywoNuajw@mail.gmail.com>
To: ghudson@mit.edu
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hi Greg Hudson,

Thank you much. Resolved

Installed the openssl-dev on my centos.

and ran the reconfigure the PKINIT is "yes" in config.log. which was
earlier "no"


On Mon, Sep 3, 2018 at 8:10 PM Greg Hudson <ghudson@mit.edu> wrote:

> [image: Boxbe] <https://www.boxbe.com/overview> Greg Hudson (
> ghudson@mit.edu) is not on your Guest List
> <https://www.boxbe.com/approved-list?tc_serial=42796765645&tc_rand=201652435&utm_source=stf&utm_medium=email&utm_campaign=ANNO_MWTP&utm_content=001&key=GcinhYs4iD2146k0hKn737J3O%2BJKYTbnbMGMK%2BCY%2Flk%3D&token=GrtaD9SIulG%2B3OvDNdl2CuL5RmoQ3zQTiCNsKIvme4jyGhJ3lHtM%2Bt5YgS%2B6P0wn>
> | Approve sender
> <https://www.boxbe.com/anno?tc_serial=42796765645&tc_rand=201652435&utm_source=stf&utm_medium=email&utm_campaign=ANNO_MWTP&utm_content=001&key=GcinhYs4iD2146k0hKn737J3O%2BJKYTbnbMGMK%2BCY%2Flk%3D&token=GrtaD9SIulG%2B3OvDNdl2CuL5RmoQ3zQTiCNsKIvme4jyGhJ3lHtM%2Bt5YgS%2B6P0wn>
> | Approve domain
> <https://www.boxbe.com/anno?tc_serial=42796765645&tc_rand=201652435&utm_source=stf&utm_medium=email&utm_campaign=ANNO_MWTP&utm_content=001&dom&key=GcinhYs4iD2146k0hKn737J3O%2BJKYTbnbMGMK%2BCY%2Flk%3D&token=GrtaD9SIulG%2B3OvDNdl2CuL5RmoQ3zQTiCNsKIvme4jyGhJ3lHtM%2Bt5YgS%2B6P0wn>
> On 09/03/2018 07:06 AM, Santosh Kumar wrote:
> >   Could you please help with information how can i enable and use pkinit.
>  From your description, my best guess is that you need to install the
> OpenSSL development files so that PKINIT can be built.  You didn't
> mention what platform you are on; for Debian or Ubuntu this means
> installing the libssl-dev package.  You can check config.log (in the
> directory where you ran configure) to see if PKINIT is enabled:
>      configure:12841: checking for a recent enough OpenSSL
>      [a couple of lines of building a test program]
>      configure:12862: result: yes
>      [...]
>      PKINIT='yes'
> If PKINIT is being built but still isn't working, check the KDC logs (if
> you control the KDC) for a message like "preauth pkinit failed to
> initialize".  On the client side, use "KRB5_TRACE=/dev/stdout kinit ..."
> to look for messages about PKINIT failing on the client side.
> If either the KDC or the client cannot use PKINIT, kinit will prompt for
> a password if the KDC also offers encrypted timestamp.  If you control
> the KDC and it is running MIT krb5 1.12 or later, you can disable
> encrypted timestamp by removing the principal's long-term keys.  See
> http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html for
> instructions on this as well as more information about setting up PKINIT.
Kerberos mailing list           Kerberos@mit.edu

home help back first fref pref prev next nref lref last post