[32318] in Kerberos
Re: pkinit-nss.
daemon@ATHENA.MIT.EDU (Nalin Dahyabhai)
Mon May 10 16:59:15 2010
Date: Mon, 10 May 2010 16:59:04 -0400
From: Nalin Dahyabhai <nalin@redhat.com>
To: Patrik Martinsson <Patrik.Martinsson@smhi.se>
Message-ID: <20100510205904.GG11497@redhat.com>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <4BE3DF0A.6000000@smhi.se>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, May 07, 2010 at 11:36:10AM +0200, Patrik Martinsson wrote:
> I'm curios about the pkinit-nss native support in kerberos > 1.6.3.
> Maybe I'm wrong here, but as I understand it I should not need the
> pkinit-nss
> plugin (http://git.fedorahosted.org/git/?p=pkinit-nss.git), as this is
> supposed to
> be inbuilt in kerberos. However I can't get the "inbuilt" pkinit-nss to
> work, and when im looking
> quickly thgough the source, i cant really see anything about nss (im not an
> experienced programmer, so i could definitly miss something).
They're two different code bases -- pkinit-nss was mainly useful before
1.6.3 was released, and if you're using 1.6.3 or anything later, I'd
recommend just using the version that's incorporated into the Kerberos
distribution.
> Today ive tried with the line, (as a start, to see if smartcardlib even
> gets called)
> pkinit_identities = PKCS11:/path_to_my_smartcardlib
This goes in the [libdefaults] section of krb5.conf. If I'm remembering
it right, you also have to specify a "pkinit_anchors" value at minimum.
> Just of curiousity ive runned kinit with strace and tried to look for
> calls to that lib,
> but i cant see anything at all relating to that smartcardlib.
On Fedora, at least, the plugin's in a separate subpackage, so if you're
using a binary package, you might want to double-check that you have the
plugin on your system (/usr/lib*/krb5/plugins/preauth/pkinit.so).
HTH,
Nalin
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
