problem in sending AS_REQ

Kevin Coffman kwc at umich.edu
Tue May 27 08:40:52 EDT 2008 

On Mon, May 26, 2008 at 12:02 PM, naveen.bn
<naveen.bn at globaledgesoft.com> wrote:
> hi all,
> This is my krb5.conf
> *********************  krb5.conf ******************************
> [libdefaults]
>    default_realm = _kerberos._udp.globaledgesoft.com
>    krb4_config = /usr/kerberos/lib/krb.conf
>    krb5_realms = /usr/kerberos/lib/krb.realms
>    pkinit_anchors  = FILE:/secure/ca-cert.pem
>
> [realms]
>     _kerberos._udp.globaledgesoft.com = {
>        admin_server = 172.16.8.141
>        kdc = 172.16.8.141
>        v4_instance_convert = {
>            gesl =  _kerberos._udp.globaledgesoft.com
>            lithium = lithium.lcs. _kerberos._udp.globaledgesoft.com
>        }
>
>    pkinit_identity = FILE:/secure/mycert.pem,/secure/mycert.key
>
>    }
>    ANDREW.CMU.EDU = {
>        admin_server = 172.16.8.141
>    }
> # use "kdc =" if realm admins haven't put SRV records into DNS
>        GNU.ORG = {
>                kdc = 172.16.8.141
>                kdc = 172.16.9.141
>                admin_server = 172.16.8.141
>        }
>
> [domain_realm]
>    .globaledgesoft.com = _kerberos._udp.globaledgesoft.com
>    globaledgesoft.com = _kerberos._udp.globaledgesoft.com
>
> [logging]
> #    kdc = CONSOLE
>    kdc=FILE:/var/krb5kdc.log
>    admin_server = FILE:/var/log/kadmin.log
>        default = FILE:/var/log/krb5lib.log
> ***********************************************************************
> and this is my kdc.conf
> [kdcdefaults]
>    kdc_ports = 750,88
>    pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key
>    pkinit_anchors=DIR:/secure/ca-cert.pem

For pkinit_anchors, you are specifying "DIR:", but giving a file name?

> [realms]
>  _kerberos._udp.globaledgesoft.com = {
>        database_name = /usr/local/var/krb5kdc/principal
>        admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
>        acl_file = /usr/local/var/krb5kdc/kadm5.acl
>        key_stash_file =
> /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com
>        kdc_ports = 750,88
>        max_life = 10h 0m 0s
>        max_renewable_life = 7d 0h 0m 0s
>
>    pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key
>    pkinit_anchors=DIR:/secure/ca-cert.pem
>    }
>
> ***************************************** kdc.conf **********************
> I have used openssl program to generate the mycert.pem and key , but i
> have not signed it with any ( neither self nor with ca ).

I'm not sure what you mean here.  A certificate must be signed by
someone/something.  The client will not attempt preauth if the
server's certificate is not trusted.

> kinit -X X509_user_identity=FILE:/secure/mycert.pem,/secure/mycert.key
> naveen
> kinit(v5): Unknown code u8JW 88 while setting
> 'X509_user_identity'='FILE:/secure/mycert.pem,/secure/mycert.key

Obviously, there is a problem with that error code.

> i am not able to send AS_REQ with pa data filled with certificates .
> I am stuck her, please help me .
>
> thank you .
>
> with regards
> naveen

The MIT client will not send pkinit information until the server
indicates it will accept it.  The server does this by indicating that
the client principal requires preauthentication, and that pkinit is an
acceptable form of preauthentication.

Does the client principal have the requires_preauth flag set?  Is the
server telling the client that pkinit is an acceptable preauth method?

More information about the Kerberos mailing list