[36706] in Kerberos
Re: Clear as mud: PKINIT and -nokey principal addition (krb5-1.13)
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jan 5 12:26:36 2015
Message-ID: <54AAC93D.20105@mit.edu>
Date: Mon, 05 Jan 2015 12:26:21 -0500
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Siddharth Mathur <smathur@blackbuck.mobi>, kerberos@mit.edu
In-Reply-To: <CABMjiNvsLpJGO0jaANMrY0ZWvWoJZq5sGS3w4YJ9uBk2hCgVdg@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 01/05/2015 03:24 AM, Siddharth Mathur wrote:
> Despite deploying the right kind of client certificates on my mobile
> devices (iOS) and using the right type of certificate on the KDC, I am
> not sure if they are talking certificates at all. How do I debug if
> the certificate matching rules are actually being evaluated on the
> server on the server, assuming the client is using its cert in the
> first place?
With a desktop client it's easy to see what's going on using KRB5_TRACE
on the client, but with a mobile app that's not so easy. wireshark or
another network-tracing tool can help, although interpreting the output
can be tricky.
> The krb5kdc.log file has no PKINIT events at all when a client request
> comes in. This is despite rebuilding the plugin with DEBUG macro on in
> the header file. Any pointers?
PKINIT DEBUG output just goes to stdout, so you need to run krb5kdc -n
and look at the terminal output to see it.
> Since all my users will be _new_ users, I wish to have no passwords at
> all while creating new user (device) principals, relying only on PKI.
> The PKINIT documentation
> (http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html)
> suggests using -nokey argument for add_principal , but I still get
> errors issuing a new token.
>
> add_principal +requires_preauth -nokey 197f67@DOMAIN.MOBI
>
> AS_REQ (4 etypes {18 17 16 23}) 182.74.74.193: NEEDED_PREAUTH:
> 197f67@DOMAIN.MOBI for krbtgt/DOMAIN.MOBI@DOMAIN.MOBI, Additional
> pre-authentication required
A NEEDED_PREAUTH error is a normal part of a preauthentication scenario,
so I'll need more information to be able to help with this.
It might help to try deploying to a regular Unix client, to help
distinguish between client-side issues with the iOS Kerberos
implementation (which I'm not very familiar with) and server-side issues.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
