kinit pkinit question.

Kevin Coffman kwc at citi.umich.edu
Sat Mar 1 13:20:48 EST 2008


On Sat, Mar 1, 2008 at 1:46 AM, Matthew Andrews <matt at slackers.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1
>
> | Matt,
>  | The obvious question is whether your KDC is properly configured for
>  | pkinit?  Also, is the client configured to require preauthentication?
>  | If so, the KDC should offer the pkinit preauth method to the client in
>  | a preauth-required message.  Unlike the Heimdal client, the MIT client
>  | will not send padata automatically just because you specified
>  | pkinit_identity and pkinit_anchors.
>  |
>  | K.C.
>  |
>  |
>
>  well, I have the following in the kdc.conf in the realms stanza entry
>  for the realm in question:
>
>
>
>  again I'm still not sure what I'm missing. I'm sure that in the end
>  it'll be something that I go "oh, DUH!" about but for now I don't see
>  it. Thanks for the help.

I haven't looked closely at the KDC cert, but you didn't mention
whether the client principal's DB entry has the requires_preauth flag
set.  Does the KDC not offer pkinit as a valid patype?

K.C.



More information about the Kerberos mailing list