Debugging PKINIT

Douglas E. Engert deengert at anl.gov
Wed May 4 11:15:21 EDT 2011 


On 5/4/2011 8:56 AM, Bram Cymet wrote:
> Hi,
>
> I am having some trouble trying to kinit using certificates. I can see
> through an strace that the certificate, key, and ca cert files are being
> read but then kinit still asks me for my password.
>
> Is there anyway I can tell (either on the client or the server) why
> there is a problem with the cert or if kinit is doing anything with the
> certs other then reading them?
>

The way your krb5.conf is setup, it will only work for one user. You may
want to look at the kinit -X X509_user_identity= option.


> This is my krb5.conf on my client:
>
> TESTLDAP.CBN = {
>
>                 pkinit_anchors=FILE:/home/bcymet/Downloads/crltest-cacert.pem
>                 pkinit_identities =
> FILE:/home/bcymet/Downloads/bcymet-cert.pem,/home/bcymet/Downloads/bcymet-privkey.pem
>                 X509_user_identity =
> FILE:/home/bcymet/Downloads/bcymet-cert.pem,/home/bcymet/Downloads/bcymet-privkey.pem

The above two should not be needed if the kinit -X option is used.

>
>
>                 pkinit_eku_checking = kpKDC

Is this key useage in the /etc/krb5/cbnca-auriga-prod-cert.pem cert?

>
>                 pkinit_kdc_hostname = cbnca-auriga-prod

Should this be a FQDN? The string has to match what is in
the KDC certificate, and is case sensitive.

>
>                 pkinit_cert_match =<SUBJECT>O=cbn,OU=jrz,CN=bcymet$

Usually a certificate is in revers order,and has CN=...,OU=...O=...
Also this is a regular expression, is the $ meant to be part of the name
or the regular expression?

>                 kdc = cbnca-auriga-prod.jrz.cbn
>                 master_kdc = cbnca-auriga-prod
>                 default_domain = test.cbn
>
>
>                 X509_anchors=FILE:/home/bcymet/Downloads/crltest-cacert.pem

This looks redundant, as you have pkinit_anchors= above

>                 admin_server = cbnca-auriga-prod
>                 pkinit_require_crl_checking = false
>                 pkinit_revoke = DIR:/etc/krb5/
>         }

KDC names are usually FQDN, I see you have some as FQDN and not
not.

>
> and on the server:
>
>   TESTLDAP.CBN = {
>                  kdc = cbnca-auriga-prod
>                  admin_server = cbnca-auriga-prod
>                  master_kdc = cbnca-auriga-prod
>                  default_domain = testLDAP.cbn
>                  enable-pkinit = true
>                  pkinit_identity =
> FILE:/etc/krb5/cbnca-auriga-prod-cert.pem,/etc/krb5/cbnca-auriga-prod-privkey.pem
>                  pkinit_anchors = FILE:/etc/krb5/crltest-cacert.pem
>                  pkinit_eku_checking = kpClientAuth

Does the client cert have this key usage defined?

>                  pkinit_allow_proxy_certificate = false
>                  pkinit_allow_upn = false
>                  #pkinit_revoke = DIR:/etc/krb5/
>                  #pkinit_require_crl_checking = false
>
>                  database_module = openldap_ldapconf
>
>                  key_stash_file = /usr/local/var/krb5kdc/.k5.TESTLDAP.CBN
>                  #auth_to_local = RULE:[1:$1]
>                  #auth_to_local = RULE:[2:$1]
>                  #auth_to_local = DEFAULT
>
>
>          }
>
>
>
> Thanks,
>

You can build the pkinit with debugging look at the plugins/preauth/pkinit/pkinit.h
for pkiDebug and also grep for DEBUG.


-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list