problem in sending AS_REQ with PKINIT

naveen.bn naveen.bn at globaledgesoft.com
Wed May 28 19:05:35 EDT 2008 

Hi Kevin,

Thank you for the previous replay which you had sent me.

/################ YOUR REPLAY #################/

Unfortunately, I don't have the time right now to guide you.  Below is
an example of my test KDC's kdc.conf and client's krb5.conf.  As Russ
pointed out, your realm name is _highly_ unconventional, and is highly
likely to cause problems.  I don't know if it has anything to do with
any problems you are currently seeing.  Conventionally, your realm
name should be GLOBALEDGESOFT.COM (upper-case of your domain name).
Besides that, your config files look reasonable.  Without seeing the
contents of the /ca and /kdc directories, and the contents of the
certificates within them, I can't say more.

The contents of the cert and key files are expected to be in PEM
format.  Their names aren't important. See
http://www.mit.edu/~kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html
for more info on the config options.

You *may* get more help by compiling the pkinit preauth plugin code
with -DDEBUG, which will cause it to print more information to stdout.

K.C.

----  example kdc.conf ----

[kdcdefaults]
    default_realm = KWCTEST.CITI.UMICH.EDU
    kdc_ports = 750,88
    kdc_tcp_ports = 88
    v4_mode = nopreauth

[realms]
    KWCTEST.CITI.UMICH.EDU = {
        database_name = /usr/local/krb5/var/krb5kdc/KWCTEST/principal
        admin_keytab = /usr/local/krb5/var/krb5kdc/KWCTEST/kadm5.keytab
        acl_file = /usr/local/krb5/var/krb5kdc/KWCTEST/kadm5.acl
        dict_file = /usr/local/krb5/var/krb5kdc/kadm5.dict
        key_stash_file =
/usr/local/krb5/var/krb5kdc/KWCTEST/.k5.KWCTEST.CITI.UMICH.EDU
        supported_enctypes = aes256-cts:normal aes128-cts:normal
des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:afs3
        kadmind_port = 749
        pkinit_pool = FILE:/etc/grid-security/certificates/ca-intermediates.crt
        pkinit_revoke = DIR:/etc/grid-security/certificates
      pkinit_identity=FILE:/usr/local/krb5/var/krb5kdc/KWCTEST/kwctest_KDC.crt,/usr/local/krb5/var/krb5kdc/KWCTEST/kwctest_KDC.key
        pkinit_anchors=FILE:/etc/grid-security/certificates/ca-bundle.crt
        pkinit_anchors=FILE:/etc/grid-security/certificates/doe-ca.crt
        pkinit_allow_upn = true
        pkinit_eku_checking = none
    }


---- example krb5.conf ----
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = KWCTEST.CITI.UMICH.EDU
  dns_lookup_realm = true
  dns_lookup_kdc = true
  noaddresses = true
  no-addresses = true
  forwardable = true
  pkinit_anchors = DIR:/etc/grid-security/certificates

  KWCTEST.CITI.UMICH.EDU = {
    pkinit_require_eku = true
    pkinit_require_krbtgt_otherName = true
    pkinit_require_hostname_match = true
  }

[realms]

  KWCTEST.CITI.UMICH.EDU = {
    kdc = rock.citi.umich.edu
    admin_server = rock.citi.umich.edu
  }

[domain_realm]
 rock.citi.umich.edu = KWCTEST.CITI.UMICH.EDU
 roll.citi.umich.edu = KWCTEST.CITI.UMICH.EDU
/#################### End of Replay ############### /

It will really be helpful, if i can get steps/links on generating certificates for CA, kdc and client.
I am not very confident with the way i am generating the certificates and placing them in their profiles. 
The method i have used to generate certificates is as follows

/************  CA certificates ***********/
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

at the end of this i have ca.crt and ca.key which is self signed

/************* END of CA crt **************/

/************* Client certificate *********/

openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -signkey ca.key -extensions
client_cert -out client.crt

at the end of this i have client.crt and client.key which is signed by the
ca.key

/************* END of client crt ***********/

/************* KDC certificate *************/

openssl genrsa -out kdc.key 2048
openssl req -new -key kdc.key -out kdc.csr
openssl x509 -req -days 365 -in kdc.csr -signkey ca.key -extensions kdc_cert
-out kdc.crt

/************* END of KDC crt **************/

The content of /ca is ca.crt and ca.key ,  /kdc is kdc.crt and kdc.key , /client is client.crt and client.key
which you had asked in the previous replay.
Looking forward for to your replay regarding generating certificates, Can i get the steps which you 
have used to generate the mentioned certificates in the provided example files kdc.conf and krb5.conf 
(previous replay).Can i also know what are the certificates in DIR:/etc/grid-security/certificates and 
i will be helpful to know the way, the kinit program selects the certificates or the criteria to be met 
to select the certificates to send in AS_REQ.   
Mean while i will compile the kdc with -DDEBUG and try to find a solution. 

Thank you for your precious time and support...

with regards
 naveen

More information about the Kerberos mailing list