"KDC_NOT_TRUSTED" error

Anna M anna.mammen at mindteck.com
Tue Apr 15 01:58:16 EDT 2003 

Hi,

I am getting the error "KDC_NOT_TRUSTED" while trying to talk to the Microsft KDC from a linux client using Heimdal's PKINIT. 
In Heimdal's site http://home.zhwin.ch/~sri/kerberos_pkinit/ they have addressed this problem in their FAQ section: <<<Why does the kinit program abort with the error message: kinit: krb5_get_init_creds: KDC not trusted, although the certificate of the KDC is valid? The certificate of the KDC must contain its FQDN either in the subject or in the subject alternative name>>>
    
How can I check whether the KDC's certificate's subject name or subject alternative name contains FQDN? Where is the KDC's certificate lying? How can I access/view it? Could there be any other possibility for this error?

Thanks and regards,
Anna..From lukeh at au.padl.com Tue Apr 15 10:20:03 2003
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.12.8p1/8.12.8) with ESMTP id h3FEK2jc021640
	for <kerberos at PCH.mit.edu>; Tue, 15 Apr 2003 10:20:02 -0400 (EDT)
Received: from au.padl.com (au.padl.com [203.13.32.1])h3FEK0Bl024082
	for <kerberos at mit.edu>; Tue, 15 Apr 2003 10:20:01 -0400 (EDT)
Received: (from lukeh at localhost)
	by au.padl.com (8.9.3/8.9.3) id AAA73190;
	Wed, 16 Apr 2003 00:19:54 +1000 (EST)
From: Luke Howard <lukeh at PADL.COM>
Message-Id: <200304151419.AAA73190 at au.padl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Organization: PADL Software Pty Ltd
To: matt at forsetti.com
Date: Wed, 16 Apr 2003 00:19:53 +1000
Versions: dmail (bsd44) 2.4c/makemail 2.9d
cc: kerberos at mit.edu
Subject: Re: Kerberos Backend for LDAP
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
Reply-To: lukeh at PADL.COM
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Tue, 15 Apr 2003 14:20:03 -0000


See the previous reply to the similar question. Here are some further
references:

	IETF Kerberos WG (krb-wg)
	http://www.ietf.org/html-charters/krb-wg-charter.html

	Heimdal LDAP backend
	http://www.padl.com/Research/Heimdal.html

	LDAP-DCE Registry Integration
	http://www.opengroup.org/dif/dce/

-- Luke

--
Luke Howard | PADL Software Pty Ltd | www.padl.com

More information about the Kerberos mailing list