[36032] in Kerberos
Help setting up PKINIT
daemon@ATHENA.MIT.EDU (Nordgren, Bryce L -FS)
Sun Apr 13 21:40:20 2014
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Mon, 14 Apr 2014 01:40:00 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6A8D2E@001FSN2MPN1-045.001f.mgd2.msft.net>
Content-Language: en-US
Content-Type: multipart/mixed;
boundary="_004_82E7C9A01FD0764CACDD35D10F5DFB6E6A8D2E001FSN2MPN1045001_"
MIME-Version: 1.0
Errors-To: kerberos-bounces@mit.edu
--_004_82E7C9A01FD0764CACDD35D10F5DFB6E6A8D2E001FSN2MPN1045001_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
I designed what I thought was a dumber-than-dirt test environment for PKINI=
T, where nothing could go wrong. Two days later...
I've got two Fedora 20 virtual machines on a host-only network inside Virtu=
alBox with static IPs and entries in the /etc/hosts file. One is the KDC an=
d the other is the client.
Relevant Packages (both machines):
* krb5-{libs,server,pkinit,workstation}-1.11.5-4.fc20
* openssl-libs-1.0.1e-37.fc20
* openssl-1.0.1e-37.fc20
I have "no-preauthentication" kinits working just fine, for the one user pr=
incipal in the KDC. I then followed the instructions on http://web.mit.edu/=
kerberos/krb5-devel/doc/admin/pkinit.html
The KDC initially complained that no realms were set up for PKINIT, thus PK=
INIT couldn't initialize. I ended up moving the keys/certs into /var/kerber=
os/krb5kdc because SELinux didn't like my original location of /root/Experi=
ment1/. Fixed.
It now looks to me like the KDC returns a ticket, but kinit still asks for =
a password. I see a NEEDED_PREAUTH message chased by an ISSUE message in t=
he KDC log, but kinit is sitting at the password prompt. (log attached)
Wireshark shows an initial AS_REQ on UDP 88, a KRB_ERROR, and a followup AS=
_REQ on TCP 88, having three padatas, of types 133, 16, and 149. A ticket w=
as returned from the KDC in the AS_REP which follows. I attached wireshark'=
s text output, but I think the parser is a little off. It reports PA type 1=
6 as PA_DASS, and type 17 as unknown.
I did try typing my password at kinit's password prompt, but kinit told me =
"password incorrect while getting initial credentials". "klist" shows that =
there's no tickets available. If I unset requires_preauth on my user accoun=
t in the KDC, the password works.
Any ideas?
Thanks,
Bryce
This electronic message contains information generated by the USDA solely f=
or the intended recipients. Any unauthorized interception of this message o=
r the use or disclosure of the information it contains may violate the law =
and subject the violator to civil or criminal penalties. If you believe you=
have received this message in error, please notify the sender and delete t=
he email immediately.
--_004_82E7C9A01FD0764CACDD35D10F5DFB6E6A8D2E001FSN2MPN1045001_
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--_004_82E7C9A01FD0764CACDD35D10F5DFB6E6A8D2E001FSN2MPN1045001_--
