[32054] in Kerberos
Re: URG: PKINIT error
daemon@ATHENA.MIT.EDU (Kevin Coffman)
Tue Feb 16 11:52:18 2010
MIME-Version: 1.0
In-Reply-To: <dca721831002152230g702960a3pdc1bc963406ee641@mail.gmail.com>
Date: Tue, 16 Feb 2010 11:52:12 -0500
Message-ID: <4d569c331002160852n25438c7dg33503bf894b129fd@mail.gmail.com>
From: Kevin Coffman <kwcoffman@gmail.com>
To: vinay kumar <winay.l@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Tue, Feb 16, 2010 at 1:30 AM, vinay kumar <winay.l@gmail.com> wrote:
> Hi all,
>
> I am implementing PKINIT. My krb5.conf and kdc.conf are as follows
>
> *************krb5.conf************
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = GLOBALEDGESOFT.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> pkinit_anchors = DIR:/ca/
>
> [realms]
> GLOBALEDGESOFT.COM = {
> kdc = 172.16.10.211
> admin_server = 172.16.10.211
> default_domain = globaledgesoft.com
> pkinit_identity = DIR:/client/
> }
>
> [domain_realm]
> .globaledgesoft.com = GLOBALEDGESOFT.COM
> globaledgesoft.com = GLOBALEDGESOFT.COM
>
> [kdc]
> profile = /etc/kdc.conf
> require-preauth = yes
> pkinit_identity = DIR:/kdc/
>
> [kadmin]
> require-preauth = yes
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
> ********************************************************
> **************kdc.conf********************************
> [kdcdefaults]
> kdc_ports = 750,88
> pkinit_anchors = DIR:/ca/
> pkinit_identity = DIR:/kdc/
>
> [realms]
> GLOBALEDGESOFT.COM = {
> database_name = /usr/local/var/krb5kdc/principal
> admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
> acl_file = /usr/local/var/krb5kdc/kadm5.acl
> key_stash_file = /usr/local/var/krb5kdc/.
> k5.GLOBALEDGESOFT.COM
> kdc_ports = 750,88
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> pkinit_identity = FILE:/client/
> }
>
> [kdc]
> require-preauth = yes
> ***********************************************************
> I have generated the certificates using openssl:
> /ca contains ca.crt ca.csr ca.key
> /kdc contains kdc.crt kdc.csr kdc.key
> /client contains client.crt client.csr client.key
> ***********************************************************
>
> I have set preauth flag for principals. When i do kinit
> vinay@GLOBALEDGESOFT.COM, its sending only AS_REQ and in reply i am getting
> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED. Why am i getting these error? Why
> its sending only AS_REQ(without containing preauthentication data)? What are
> the modifications needed? Plz guide me.
>
> Regards,
> Vinay
This is normal. If the KDC's pkinit configuration is correct (the
plugin is available and correctly configured), its
KRB5KDC_ERR_PREAUTH_REQUIRED reply should list pkint as a suitable
preauthentication method. The client should then respond with another
AS_REQ including the pkinit preauth information.
K.C.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
