URG: PKINIT error

vinay kumar winay.l at gmail.com
Tue Feb 16 01:30:04 EST 2010 

Hi all,

         I am implementing PKINIT. My krb5.conf and kdc.conf are as follows

*************krb5.conf************
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = GLOBALEDGESOFT.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 pkinit_anchors = DIR:/ca/

[realms]
 GLOBALEDGESOFT.COM = {
  kdc = 172.16.10.211
  admin_server = 172.16.10.211
  default_domain = globaledgesoft.com
  pkinit_identity = DIR:/client/
 }

[domain_realm]
 .globaledgesoft.com = GLOBALEDGESOFT.COM
 globaledgesoft.com = GLOBALEDGESOFT.COM

[kdc]
 profile = /etc/kdc.conf
 require-preauth = yes
 pkinit_identity = DIR:/kdc/

[kadmin]
 require-preauth = yes

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
********************************************************
**************kdc.conf********************************
[kdcdefaults]
        kdc_ports = 750,88
        pkinit_anchors = DIR:/ca/
        pkinit_identity = DIR:/kdc/

[realms]
        GLOBALEDGESOFT.COM = {
                database_name = /usr/local/var/krb5kdc/principal
                admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
                acl_file = /usr/local/var/krb5kdc/kadm5.acl
                key_stash_file = /usr/local/var/krb5kdc/.
k5.GLOBALEDGESOFT.COM
                kdc_ports = 750,88
                max_life = 10h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
                pkinit_identity = FILE:/client/
        }

[kdc]
 require-preauth = yes
***********************************************************
I have generated the certificates using openssl:
/ca contains ca.crt  ca.csr  ca.key
/kdc contains kdc.crt  kdc.csr  kdc.key
/client contains client.crt  client.csr  client.key
***********************************************************

I have set preauth flag for principals. When i do kinit
vinay at GLOBALEDGESOFT.COM, its sending only AS_REQ and in reply i am getting
KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED. Why am i getting these error? Why
its sending only AS_REQ(without containing preauthentication data)? What are
the modifications needed? Plz guide me.

Regards,
Vinay

More information about the Kerberos mailing list