[33364] in Kerberos

home help back first fref pref prev next nref lref last post

Debugging PKINIT

daemon@ATHENA.MIT.EDU (Bram Cymet)
Wed May 4 09:56:49 2011

Message-ID: <4DC15B10.3060502@cbnco.com>
Date: Wed, 04 May 2011 09:56:32 -0400
From: Bram Cymet <bcymet@cbnco.com>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hi,

I am having some trouble trying to kinit using certificates. I can see
through an strace that the certificate, key, and ca cert files are being
read but then kinit still asks me for my password.

Is there anyway I can tell (either on the client or the server) why
there is a problem with the cert or if kinit is doing anything with the
certs other then reading them?

This is my krb5.conf on my client:

TESTLDAP.CBN = {

               pkinit_anchors=FILE:/home/bcymet/Downloads/crltest-cacert.pem
               pkinit_identities =
FILE:/home/bcymet/Downloads/bcymet-cert.pem,/home/bcymet/Downloads/bcymet-privkey.pem
               X509_user_identity =
FILE:/home/bcymet/Downloads/bcymet-cert.pem,/home/bcymet/Downloads/bcymet-privkey.pem


               pkinit_eku_checking = kpKDC

               pkinit_kdc_hostname = cbnca-auriga-prod

               pkinit_cert_match = <SUBJECT>O=cbn,OU=jrz,CN=bcymet$
               kdc = cbnca-auriga-prod.jrz.cbn
               master_kdc = cbnca-auriga-prod
               default_domain = test.cbn


               X509_anchors=FILE:/home/bcymet/Downloads/crltest-cacert.pem
               admin_server = cbnca-auriga-prod
               pkinit_require_crl_checking = false
               pkinit_revoke = DIR:/etc/krb5/
       }

and on the server:

 TESTLDAP.CBN = {
                kdc = cbnca-auriga-prod
                admin_server = cbnca-auriga-prod
                master_kdc = cbnca-auriga-prod
                default_domain = testLDAP.cbn
                enable-pkinit = true
                pkinit_identity =
FILE:/etc/krb5/cbnca-auriga-prod-cert.pem,/etc/krb5/cbnca-auriga-prod-privkey.pem
                pkinit_anchors = FILE:/etc/krb5/crltest-cacert.pem
                pkinit_eku_checking = kpClientAuth
                pkinit_allow_proxy_certificate = false
                pkinit_allow_upn = false
                #pkinit_revoke = DIR:/etc/krb5/
                #pkinit_require_crl_checking = false

                database_module = openldap_ldapconf

                key_stash_file = /usr/local/var/krb5kdc/.k5.TESTLDAP.CBN
                #auth_to_local = RULE:[1:$1]
                #auth_to_local = RULE:[2:$1]
                #auth_to_local = DEFAULT


        }



Thanks,

-- 
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
613-608-9752
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post