Help using PKINIT (MIT)
JAKOBI Pascal
pascal.jakobi at thalesgroup.com
Thu Mar 31 07:28:39 EDT 2011
Hi there
I need help in order to get PKINIT working on Fedora 14.
I have a running kerberos server with krb-server, krb-server-ldap and so
on (1.8.2).
I also have installed krb5-pkinit-openssl.
The stuff works like a charm when running in "standard" kerberos, i.e.
w/o pkinit.
Then we tried to set up pkinit according to the instructions found at
http://k5wiki.kerberos.org. In particular, we checked carefully, our certs.
However, the behaviour does not seem correct.
We issue a kinit -X x509_user_identity=<DN found in the client cert>
<principal> on the client side (another Fedora instance with software
certs).
With Wireshark, we see that an AS-REQ is sent to the server. However, it
does not seem to convey any certificate (pa-data type = 149).
Then the server replies with ERR_PREAUTH_REQUIRED (the principal that is
used has its preauth option set). Is this normal ?
As a result of this, the standard AS_REQ/REP procedure seems to be
played (as a password is requested on the client side).
The problem is that even when recompiling pkinit with DEBUG set, we
cannot see anything....
Any help (very) greatly appreciated.
Thanks
Pascal
--
Pascal Jakobi
Sr. Architect, Thales
1 av. A. Fresnel
91767 Palaiseau, France
Tel. : +33 1 69 41 60 51
Mob.: + 33 6 87 47 58 19
More information about the Kerberos
mailing list