[33290] in Kerberos
Help using PKINIT (MIT)
daemon@ATHENA.MIT.EDU (JAKOBI Pascal)
Thu Mar 31 07:29:10 2011
From: JAKOBI Pascal <pascal.jakobi@thalesgroup.com>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Thu, 31 Mar 2011 13:28:39 +0200
Message-ID: <31777_1301570940_4D94657C_31777_19073_1_0d279ca2-e310-44d6-b73c-50221e000ae3@THSONEA01HUB01P.one.grp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi there
I need help in order to get PKINIT working on Fedora 14.
I have a running kerberos server with krb-server, krb-server-ldap and so
on (1.8.2).
I also have installed krb5-pkinit-openssl.
The stuff works like a charm when running in "standard" kerberos, i.e.
w/o pkinit.
Then we tried to set up pkinit according to the instructions found at
http://k5wiki.kerberos.org. In particular, we checked carefully, our certs.
However, the behaviour does not seem correct.
We issue a kinit -X x509_user_identity=<DN found in the client cert>
<principal> on the client side (another Fedora instance with software
certs).
With Wireshark, we see that an AS-REQ is sent to the server. However, it
does not seem to convey any certificate (pa-data type = 149).
Then the server replies with ERR_PREAUTH_REQUIRED (the principal that is
used has its preauth option set). Is this normal ?
As a result of this, the standard AS_REQ/REP procedure seems to be
played (as a password is requested on the client side).
The problem is that even when recompiling pkinit with DEBUG set, we
cannot see anything....
Any help (very) greatly appreciated.
Thanks
Pascal
--
Pascal Jakobi
Sr. Architect, Thales
1 av. A. Fresnel
91767 Palaiseau, France
Tel. : +33 1 69 41 60 51
Mob.: + 33 6 87 47 58 19
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
