[39532] in Kerberos
Re: PKINIT client has no configured identity; giving up?
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Sun Jul 27 19:18:15 2025
Message-Id: <202507272317.56RNHvIB016249@hedwig.cmf.nrl.navy.mil>
To: Nick <atod101101@gmail.com>
cc: kerberos@mit.edu
In-Reply-To: <CAG9BPSWYZH=OQ34tjodgyEdAq0CJzVU1Tfxh0mcEP1b=qvLfAA@mail.gmail.com>
MIME-Version: 1.0
Date: Sun, 27 Jul 2025 19:17:56 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>I'm testing out PKINIT and encountered this error in the subject line.
>Does anyone know what it's related to and/or how to debug and resolve
>it further?
>
>So far, PKINIT talks to the KDC, receives an MIT cookie and loads the
>identity files: client0.pem and clientkey0.pem being invoked by 'kinit
>-X X509_user_identity=FILE:/client0.pem,/clientkey0.pem". I'm still
>being requested to provide a password, which I understand should not
>be required with PKINIT.
About a half-dozen things could cause that error; for example, if
you didn't configure PKINIT with the correct root and intermediate
certificates so the client couldn't build a complete chain back to a
trusted root, you'd get that.
I was going to suggest you use the KRB5_TRACE environment variable to
get further debug output, but I think if you got that message then you
already did that; what is causing the root issue should be in that
trace information (before that message).
BTW, I believe that if your client key is protected with a password then
you might get a password prompt for the key.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
