Help setting up PKINIT

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Sun Apr 13 21:40:00 EDT 2014 

I designed what I thought was a dumber-than-dirt test environment for PKINIT, where nothing could go wrong. Two days later...

I've got two Fedora 20 virtual machines on a host-only network inside VirtualBox with static IPs and entries in the /etc/hosts file. One is the KDC and the other is the client.

Relevant Packages (both machines):


*         krb5-{libs,server,pkinit,workstation}-1.11.5-4.fc20

*         openssl-libs-1.0.1e-37.fc20

*         openssl-1.0.1e-37.fc20

I have "no-preauthentication" kinits working just fine, for the one user principal in the KDC. I then followed the instructions on http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html

The KDC initially complained that no realms were set up for PKINIT, thus PKINIT couldn't initialize. I ended up moving the keys/certs into /var/kerberos/krb5kdc because SELinux didn't like my original location of /root/Experiment1/. Fixed.

It now looks to me like the KDC returns a ticket, but kinit still asks for a password. I see  a NEEDED_PREAUTH message chased by an ISSUE message in the KDC log, but kinit is sitting at the password prompt. (log attached)

Wireshark shows an initial AS_REQ on UDP 88, a KRB_ERROR, and a followup AS_REQ on TCP 88, having three padatas, of types 133, 16, and 149. A ticket was returned from the KDC in the AS_REP which follows. I attached wireshark's text output, but I think the parser is a little off. It reports PA type 16 as PA_DASS, and type 17 as unknown.

I did try typing my password at kinit's password prompt, but kinit told me "password incorrect while getting initial credentials". "klist" shows that there's no tickets available. If I unset requires_preauth on my user account in the KDC, the password works.

Any ideas?

Thanks,
Bryce






This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

More information about the Kerberos mailing list