Debugging PKINIT
Bram Cymet
bcymet at cbnco.com
Wed May 4 12:03:17 EDT 2011
Thanks for the tip. With DEBUG turned on I was able to figure out that
even though crl checking is set to false (this is just a test
environment) kinit is not happy if the /etc/krb5 folder is not there.
Now I can see that kinit is finding the cert and the smartcard and it
sees that it is matching the cert name.
However now I get
Client name mismatch while getting initial credentials
On both the client and the server.
Any idea what that means?
On 11-05-04 11:15 AM, Douglas E. Engert wrote:
>
>
> On 5/4/2011 8:56 AM, Bram Cymet wrote:
>> Hi,
>>
>> I am having some trouble trying to kinit using certificates. I can see
>> through an strace that the certificate, key, and ca cert files are being
>> read but then kinit still asks me for my password.
>>
>> Is there anyway I can tell (either on the client or the server) why
>> there is a problem with the cert or if kinit is doing anything with the
>> certs other then reading them?
>>
>
> The way your krb5.conf is setup, it will only work for one user. You may
> want to look at the kinit -X X509_user_identity= option.
>
>
>> This is my krb5.conf on my client:
>>
>> TESTLDAP.CBN = {
>>
>> pkinit_anchors=FILE:/home/bcymet/Downloads/crltest-cacert.pem
>> pkinit_identities =
>> FILE:/home/bcymet/Downloads/bcymet-cert.pem,/home/bcymet/Downloads/bcymet-privkey.pem
>> X509_user_identity =
>> FILE:/home/bcymet/Downloads/bcymet-cert.pem,/home/bcymet/Downloads/bcymet-privkey.pem
>
> The above two should not be needed if the kinit -X option is used.
>
>>
>>
>> pkinit_eku_checking = kpKDC
>
> Is this key useage in the /etc/krb5/cbnca-auriga-prod-cert.pem cert?
>
>>
>> pkinit_kdc_hostname = cbnca-auriga-prod
>
> Should this be a FQDN? The string has to match what is in
> the KDC certificate, and is case sensitive.
>
>>
>> pkinit_cert_match =<SUBJECT>O=cbn,OU=jrz,CN=bcymet$
>
> Usually a certificate is in revers order,and has CN=...,OU=...O=...
> Also this is a regular expression, is the $ meant to be part of the name
> or the regular expression?
>
>> kdc = cbnca-auriga-prod.jrz.cbn
>> master_kdc = cbnca-auriga-prod
>> default_domain = test.cbn
>>
>>
>> X509_anchors=FILE:/home/bcymet/Downloads/crltest-cacert.pem
>
> This looks redundant, as you have pkinit_anchors= above
>
>> admin_server = cbnca-auriga-prod
>> pkinit_require_crl_checking = false
>> pkinit_revoke = DIR:/etc/krb5/
>> }
>
> KDC names are usually FQDN, I see you have some as FQDN and not
> not.
>
>>
>> and on the server:
>>
>> TESTLDAP.CBN = {
>> kdc = cbnca-auriga-prod
>> admin_server = cbnca-auriga-prod
>> master_kdc = cbnca-auriga-prod
>> default_domain = testLDAP.cbn
>> enable-pkinit = true
>> pkinit_identity =
>> FILE:/etc/krb5/cbnca-auriga-prod-cert.pem,/etc/krb5/cbnca-auriga-prod-privkey.pem
>> pkinit_anchors = FILE:/etc/krb5/crltest-cacert.pem
>> pkinit_eku_checking = kpClientAuth
>
> Does the client cert have this key usage defined?
>
>> pkinit_allow_proxy_certificate = false
>> pkinit_allow_upn = false
>> #pkinit_revoke = DIR:/etc/krb5/
>> #pkinit_require_crl_checking = false
>>
>> database_module = openldap_ldapconf
>>
>> key_stash_file = /usr/local/var/krb5kdc/.k5.TESTLDAP.CBN
>> #auth_to_local = RULE:[1:$1]
>> #auth_to_local = RULE:[2:$1]
>> #auth_to_local = DEFAULT
>>
>>
>> }
>>
>>
>>
>> Thanks,
>>
>
> You can build the pkinit with debugging look at the plugins/preauth/pkinit/pkinit.h
> for pkiDebug and also grep for DEBUG.
>
>
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
613-608-9752
More information about the Kerberos
mailing list