[36200] in Kerberos
Re: Advice on cross-realm PKINIT?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jun 9 23:31:11 2014
Message-ID: <53967BEA.7080609@mit.edu>
Date: Mon, 09 Jun 2014 23:30:50 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>,
"kerberos@mit.edu" <kerberos@mit.edu>
In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E6D4A9B@001FSN2MPN1-044.001f.mgd2.msft.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 06/09/2014 08:36 PM, Nordgren, Bryce L -FS wrote:
> And now "kinit test/EXTERNAL.ORG" results in a client name mismatch. (Also defined on p 15 of RFC 4556). The trace indicates that kinit is correctly seeking credentials for "test/EXTERNAL.ORG@EXAMPLE.COM". I cannot get openssl to display the extension fields. I have not yet discovered a way for tshark to display the pkinit preauth. However, I triplechecked the signing command in my history against this principal. As far as I can tell, the principal in the KDC database, on the kinit command line, and in the certificate I'm using for PKINIT are all the same, and I'm still getting a client name mismatch. Does openssl not like slashes in environment variable expansions?
Well, more precisely, OpenSSL doesn't understand the slash. It's
creating a principal SAN with one name component "test/EXTERNAL.ORG",
which the KDC is comparing to a principal with two components "test" and
"EXTERNAL.ORG". It's a relatively simple tweak to the extensions file
to create a two-principal SAN from two different environment variables;
you can see how it's done in extensions.kdc.
I think this is also Frank Smith's issue, coincidentally. I will file
an issue noting that we need to improve the documentation.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
