[29878] in Kerberos
[Fwd: Re: problem in sending AS_REQ]
daemon@ATHENA.MIT.EDU (naveen.bn)
Tue May 27 11:08:58 2008
Message-ID: <483C241C.1080706@globaledgesoft.com>
Date: Tue, 27 May 2008 15:09:16 +0000
From: "naveen.bn" <naveen.bn@globaledgesoft.com>
MIME-Version: 1.0
To: kerberos <Kerberos@mit.edu>
Content-Type: multipart/mixed; boundary="------------030800010406040407080702"
Errors-To: kerberos-bounces@mit.edu
This is a multi-part message in MIME format.
--------------030800010406040407080702
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
--------------030800010406040407080702
Content-Type: message/rfc822;
name="Re: problem in sending AS_REQ"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Re: problem in sending AS_REQ"
Message-ID: <483C2371.9090608@globaledgesoft.com>
Date: Tue, 27 May 2008 15:06:25 +0000
From: "naveen.bn" <naveen.bn@globaledgesoft.com>
User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050716)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Kevin Coffman <kwc@umich.edu>
Subject: Re: problem in sending AS_REQ
References: <483ADF2B.9080907@globaledgesoft.com>
<4d569c330805270540o138ee5ew5b152f2375204d33@mail.gmail.com>
In-Reply-To: <4d569c330805270540o138ee5ew5b152f2375204d33@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Kevin Coffman wrote:
>On Mon, May 26, 2008 at 12:02 PM, naveen.bn
><naveen.bn@globaledgesoft.com> wrote:
>
>
>>hi all,
>>This is my krb5.conf
>>********************* krb5.conf ******************************
>>[libdefaults]
>> default_realm = _kerberos._udp.globaledgesoft.com
>> krb4_config = /usr/kerberos/lib/krb.conf
>> krb5_realms = /usr/kerberos/lib/krb.realms
>> pkinit_anchors = FILE:/secure/ca-cert.pem
>>
>>[realms]
>> _kerberos._udp.globaledgesoft.com = {
>> admin_server = 172.16.8.141
>> kdc = 172.16.8.141
>> v4_instance_convert = {
>> gesl = _kerberos._udp.globaledgesoft.com
>> lithium = lithium.lcs. _kerberos._udp.globaledgesoft.com
>> }
>>
>> pkinit_identity = FILE:/secure/mycert.pem,/secure/mycert.key
>>
>> }
>> ANDREW.CMU.EDU = {
>> admin_server = 172.16.8.141
>> }
>># use "kdc =" if realm admins haven't put SRV records into DNS
>> GNU.ORG = {
>> kdc = 172.16.8.141
>> kdc = 172.16.9.141
>> admin_server = 172.16.8.141
>> }
>>
>>[domain_realm]
>> .globaledgesoft.com = _kerberos._udp.globaledgesoft.com
>> globaledgesoft.com = _kerberos._udp.globaledgesoft.com
>>
>>[logging]
>># kdc = CONSOLE
>> kdc=FILE:/var/krb5kdc.log
>> admin_server = FILE:/var/log/kadmin.log
>> default = FILE:/var/log/krb5lib.log
>>***********************************************************************
>>and this is my kdc.conf
>>[kdcdefaults]
>> kdc_ports = 750,88
>> pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key
>> pkinit_anchors=DIR:/secure/ca-cert.pem
>>
>>
>
>For pkinit_anchors, you are specifying "DIR:", but giving a file name?
>
>
>
>>[realms]
>> _kerberos._udp.globaledgesoft.com = {
>> database_name = /usr/local/var/krb5kdc/principal
>> admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
>> acl_file = /usr/local/var/krb5kdc/kadm5.acl
>> key_stash_file =
>>/usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com
>> kdc_ports = 750,88
>> max_life = 10h 0m 0s
>> max_renewable_life = 7d 0h 0m 0s
>>
>> pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key
>> pkinit_anchors=DIR:/secure/ca-cert.pem
>> }
>>
>>***************************************** kdc.conf **********************
>>I have used openssl program to generate the mycert.pem and key , but i
>>have not signed it with any ( neither self nor with ca ).
>>
>>
>
>I'm not sure what you mean here. A certificate must be signed by
>someone/something. The client will not attempt preauth if the
>server's certificate is not trusted.
>
>
>
>>kinit -X X509_user_identity=FILE:/secure/mycert.pem,/secure/mycert.key
>>naveen
>>kinit(v5): Unknown code u8JW 88 while setting
>>'X509_user_identity'='FILE:/secure/mycert.pem,/secure/mycert.key
>>
>>
>
>Obviously, there is a problem with that error code.
>
>
>
>>i am not able to send AS_REQ with pa data filled with certificates .
>>I am stuck her, please help me .
>>
>>thank you .
>>
>>with regards
>>naveen
>>
>>
>
>The MIT client will not send pkinit information until the server
>indicates it will accept it. The server does this by indicating that
>the client principal requires preauthentication, and that pkinit is an
>acceptable form of preauthentication.
>
>Does the client principal have the requires_preauth flag set? Is the
>server telling the client that pkinit is an acceptable preauth method?
>
>
>
Hi kevin,
Thank you for your replay it helped me. I had not set requires preauth flag for the client. Now that
i have set the flag i am getting the KRB5KDC_ERR_PREAUTH_REQUIRED message from the kdc and then the client
sends a padata with encrypted timestamp and i am getting the ticket. But i want to send certificates to kdc
and get the kdc certificates with dh parameters. pls kindly guide me .
And this is the concept that i have understood, please coorect me if i am wrong .I need to generate the
ca-cert.pem and ca-private.key using openssl tool. Generate the RSA key for client like kdc.pem and kdc.key,
then signing the kdc.pem with the ca-private.key to generate kdc certificate similarly for client and submite
the paths of these files in there profiles right.
Thank you
--------------030800010406040407080702
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--------------030800010406040407080702--
