URG: PKINIT error

Kevin Coffman kwcoffman at gmail.com
Tue Feb 16 11:52:12 EST 2010 

On Tue, Feb 16, 2010 at 1:30 AM, vinay kumar <winay.l at gmail.com> wrote:
> Hi all,
>
>         I am implementing PKINIT. My krb5.conf and kdc.conf are as follows
>
> *************krb5.conf************
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = GLOBALEDGESOFT.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  pkinit_anchors = DIR:/ca/
>
> [realms]
>  GLOBALEDGESOFT.COM = {
>  kdc = 172.16.10.211
>  admin_server = 172.16.10.211
>  default_domain = globaledgesoft.com
>  pkinit_identity = DIR:/client/
>  }
>
> [domain_realm]
>  .globaledgesoft.com = GLOBALEDGESOFT.COM
>  globaledgesoft.com = GLOBALEDGESOFT.COM
>
> [kdc]
>  profile = /etc/kdc.conf
>  require-preauth = yes
>  pkinit_identity = DIR:/kdc/
>
> [kadmin]
>  require-preauth = yes
>
> [appdefaults]
>  pam = {
>   debug = false
>   ticket_lifetime = 36000
>   renew_lifetime = 36000
>   forwardable = true
>   krb4_convert = false
>  }
> ********************************************************
> **************kdc.conf********************************
> [kdcdefaults]
>        kdc_ports = 750,88
>        pkinit_anchors = DIR:/ca/
>        pkinit_identity = DIR:/kdc/
>
> [realms]
>        GLOBALEDGESOFT.COM = {
>                database_name = /usr/local/var/krb5kdc/principal
>                admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
>                acl_file = /usr/local/var/krb5kdc/kadm5.acl
>                key_stash_file = /usr/local/var/krb5kdc/.
> k5.GLOBALEDGESOFT.COM
>                kdc_ports = 750,88
>                max_life = 10h 0m 0s
>                max_renewable_life = 7d 0h 0m 0s
>                pkinit_identity = FILE:/client/
>        }
>
> [kdc]
>  require-preauth = yes
> ***********************************************************
> I have generated the certificates using openssl:
> /ca contains ca.crt  ca.csr  ca.key
> /kdc contains kdc.crt  kdc.csr  kdc.key
> /client contains client.crt  client.csr  client.key
> ***********************************************************
>
> I have set preauth flag for principals. When i do kinit
> vinay at GLOBALEDGESOFT.COM, its sending only AS_REQ and in reply i am getting
> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED. Why am i getting these error? Why
> its sending only AS_REQ(without containing preauthentication data)? What are
> the modifications needed? Plz guide me.
>
> Regards,
> Vinay

This is normal.  If the KDC's pkinit configuration is correct (the
plugin is available and correctly configured), its
KRB5KDC_ERR_PREAUTH_REQUIRED reply should list pkint as a suitable
preauthentication method.  The client should then respond with another
AS_REQ including the pkinit preauth information.

K.C.

More information about the Kerberos mailing list