[39437] in Kerberos

home help back first fref pref prev next nref lref last post

Re: recent certificate failure for pkinit

daemon@ATHENA.MIT.EDU (Carson Gaspar)
Mon Jul 8 17:51:44 2024

Message-ID: <ca4ed132-8911-49ed-95bd-ba24e0f4d47d@taltos.org>
Date: Mon, 8 Jul 2024 17:52:21 -0400
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Language: en-US
From: Carson Gaspar <carson@taltos.org>
In-Reply-To: <CAOLfK3XsL_QKci34mgeWdpra6Fr3AbDfiMPm+ufd0P2L4-DshA@mail.gmail.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu


On 7/8/2024 2:54 PM, Matt Zagrabelny via Kerberos wrote:
> Greetings Kerberos-users,
>
> I've been successfully using OTP and pkinit for the past year or so. Within
> the last week, or so, it has started to fail with:
>
> client:
> $ /usr/bin/kinit -n -c /tmp/.kerberos_cache
> kinit: Preauthentication failed while getting initial credentials
>
> KDC:
> KDC_RETURN_PADATA:WELLKNOWN/ANONYMOUS@EXAMPLE.COM  for krbtgt/
> EXAMPLE.COM@EXAMPLE.COM, Failed to verify own certificate (depth 0): unable
> to get local issuer certificate

I've run into this error before. MIT's KDC, for some bizarre reason, 
insists that its server cert validate against the same set of CAs used 
to authorize client PKINIT certs. This is insecure and a terrible idea, 
but oh well. So make sure that the KDC server cert validates against the 
set of CAs you've specified in the config file.

If you want more debugging, AFAIK you'll need to recompile the pkinit 
plugin and set a CPP debug macro to 1 to get more useful info out of it 
(and the debug output goes to stderr as I recall).

-- 

Carson
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post