Debugging PKINIT
Bram Cymet
bcymet at cbnco.com
Wed May 4 09:56:32 EDT 2011
Hi,
I am having some trouble trying to kinit using certificates. I can see
through an strace that the certificate, key, and ca cert files are being
read but then kinit still asks me for my password.
Is there anyway I can tell (either on the client or the server) why
there is a problem with the cert or if kinit is doing anything with the
certs other then reading them?
This is my krb5.conf on my client:
TESTLDAP.CBN = {
pkinit_anchors=FILE:/home/bcymet/Downloads/crltest-cacert.pem
pkinit_identities =
FILE:/home/bcymet/Downloads/bcymet-cert.pem,/home/bcymet/Downloads/bcymet-privkey.pem
X509_user_identity =
FILE:/home/bcymet/Downloads/bcymet-cert.pem,/home/bcymet/Downloads/bcymet-privkey.pem
pkinit_eku_checking = kpKDC
pkinit_kdc_hostname = cbnca-auriga-prod
pkinit_cert_match = <SUBJECT>O=cbn,OU=jrz,CN=bcymet$
kdc = cbnca-auriga-prod.jrz.cbn
master_kdc = cbnca-auriga-prod
default_domain = test.cbn
X509_anchors=FILE:/home/bcymet/Downloads/crltest-cacert.pem
admin_server = cbnca-auriga-prod
pkinit_require_crl_checking = false
pkinit_revoke = DIR:/etc/krb5/
}
and on the server:
TESTLDAP.CBN = {
kdc = cbnca-auriga-prod
admin_server = cbnca-auriga-prod
master_kdc = cbnca-auriga-prod
default_domain = testLDAP.cbn
enable-pkinit = true
pkinit_identity =
FILE:/etc/krb5/cbnca-auriga-prod-cert.pem,/etc/krb5/cbnca-auriga-prod-privkey.pem
pkinit_anchors = FILE:/etc/krb5/crltest-cacert.pem
pkinit_eku_checking = kpClientAuth
pkinit_allow_proxy_certificate = false
pkinit_allow_upn = false
#pkinit_revoke = DIR:/etc/krb5/
#pkinit_require_crl_checking = false
database_module = openldap_ldapconf
key_stash_file = /usr/local/var/krb5kdc/.k5.TESTLDAP.CBN
#auth_to_local = RULE:[1:$1]
#auth_to_local = RULE:[2:$1]
#auth_to_local = DEFAULT
}
Thanks,
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
613-608-9752
More information about the Kerberos
mailing list