Debugging PKINIT

Bram Cymet bcymet at cbnco.com
Wed May 4 12:03:17 EDT 2011


Thanks for the tip. With DEBUG turned on I was able to figure out that
even though crl checking is set to false (this is just a test
environment) kinit is not happy if the /etc/krb5 folder is not there.

Now I can see that kinit is finding the cert and the smartcard and it
sees that it is matching the cert name.

However now I get
Client name mismatch while getting initial credentials

On both the client and the server.

Any idea what that means?
On 11-05-04 11:15 AM, Douglas E. Engert wrote:
> 
> 
> On 5/4/2011 8:56 AM, Bram Cymet wrote:
>> Hi,
>>
>> I am having some trouble trying to kinit using certificates. I can see
>> through an strace that the certificate, key, and ca cert files are being
>> read but then kinit still asks me for my password.
>>
>> Is there anyway I can tell (either on the client or the server) why
>> there is a problem with the cert or if kinit is doing anything with the
>> certs other then reading them?
>>
> 
> The way your krb5.conf is setup, it will only work for one user. You may
> want to look at the kinit -X X509_user_identity= option.
> 
> 
>> This is my krb5.conf on my client:
>>
>> TESTLDAP.CBN = {
>>
>>                 pkinit_anchors=FILE:/home/bcymet/Downloads/crltest-cacert.pem
>>                 pkinit_identities =
>> FILE:/home/bcymet/Downloads/bcymet-cert.pem,/home/bcymet/Downloads/bcymet-privkey.pem
>>                 X509_user_identity =
>> FILE:/home/bcymet/Downloads/bcymet-cert.pem,/home/bcymet/Downloads/bcymet-privkey.pem
> 
> The above two should not be needed if the kinit -X option is used.
> 
>>
>>
>>                 pkinit_eku_checking = kpKDC
> 
> Is this key useage in the /etc/krb5/cbnca-auriga-prod-cert.pem cert?
> 
>>
>>                 pkinit_kdc_hostname = cbnca-auriga-prod
> 
> Should this be a FQDN? The string has to match what is in
> the KDC certificate, and is case sensitive.
> 
>>
>>                 pkinit_cert_match =<SUBJECT>O=cbn,OU=jrz,CN=bcymet$
> 
> Usually a certificate is in revers order,and has CN=...,OU=...O=...
> Also this is a regular expression, is the $ meant to be part of the name
> or the regular expression?
> 
>>                 kdc = cbnca-auriga-prod.jrz.cbn
>>                 master_kdc = cbnca-auriga-prod
>>                 default_domain = test.cbn
>>
>>
>>                 X509_anchors=FILE:/home/bcymet/Downloads/crltest-cacert.pem
> 
> This looks redundant, as you have pkinit_anchors= above
> 
>>                 admin_server = cbnca-auriga-prod
>>                 pkinit_require_crl_checking = false
>>                 pkinit_revoke = DIR:/etc/krb5/
>>         }
> 
> KDC names are usually FQDN, I see you have some as FQDN and not
> not.
> 
>>
>> and on the server:
>>
>>   TESTLDAP.CBN = {
>>                  kdc = cbnca-auriga-prod
>>                  admin_server = cbnca-auriga-prod
>>                  master_kdc = cbnca-auriga-prod
>>                  default_domain = testLDAP.cbn
>>                  enable-pkinit = true
>>                  pkinit_identity =
>> FILE:/etc/krb5/cbnca-auriga-prod-cert.pem,/etc/krb5/cbnca-auriga-prod-privkey.pem
>>                  pkinit_anchors = FILE:/etc/krb5/crltest-cacert.pem
>>                  pkinit_eku_checking = kpClientAuth
> 
> Does the client cert have this key usage defined?
> 
>>                  pkinit_allow_proxy_certificate = false
>>                  pkinit_allow_upn = false
>>                  #pkinit_revoke = DIR:/etc/krb5/
>>                  #pkinit_require_crl_checking = false
>>
>>                  database_module = openldap_ldapconf
>>
>>                  key_stash_file = /usr/local/var/krb5kdc/.k5.TESTLDAP.CBN
>>                  #auth_to_local = RULE:[1:$1]
>>                  #auth_to_local = RULE:[2:$1]
>>                  #auth_to_local = DEFAULT
>>
>>
>>          }
>>
>>
>>
>> Thanks,
>>
> 
> You can build the pkinit with debugging look at the plugins/preauth/pkinit/pkinit.h
> for pkiDebug and also grep for DEBUG.
> 
> 


-- 
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
613-608-9752



More information about the Kerberos mailing list