[36188] in Kerberos
Re: krb5-1.12.1, pkinit, and openssl ca
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jun 9 11:58:14 2014
Message-ID: <5395D984.4050500@mit.edu>
Date: Mon, 09 Jun 2014 11:57:56 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: "squidmobile@fastmail.fm" <squidmobile@fastmail.fm>, kerberos@mit.edu
In-Reply-To: <1402266905.5146.126538997.47F9A17E@webmail.messagingengine.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 06/08/2014 06:35 PM, squidmobile@fastmail.fm wrote:
> pkinit_identity = DIR:/home/%{username}/.krb5.id
I think this is the source of your problems in two ways:
1. pkinit_identity is only for the KDC. pkinit_identities is for
clients. This is of course very confusing (the variables should have
been named with "kdc" and "client" substrings), and the documentation
should do more to highlight the difference.
2. pkinit_identity isn't processed through path token substitution.
This is largely a historical accident; PKINIT was introduced in 1.6,
while path substitution was introduced along with default_ccache_name in
1.11. The best you can do right now is specify pkinit_identities =
ENV:SOMEENVVARNAME, and then make each user's dotfiles set
SOMEENVVARNAME to DIR:/path/to/their/home/directory/.krb5.id.
I will file three issues about the confusing profile variable names,
lack of path substitution, and lack of a path substitution token for the
home directory.
> KRB5_TRACE=/dev/stdout kinit \
> -X X509_user_identity=DIR:/home/test/.krb5.id my/principal
[...]
> Jun 7 18:14:46 kdc krb5kdc[6158]: preauth (pkinit) verify failure:
> Client name mismatch
We need better logging for this situation; I will file a fourth issue
about that.
I went back over your earlier messages and didn't see a transcript of
how you created the client certificate, so I'm not sure what the misstep
was. (The instructions in the documentation do work.)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
