help - pkinit preauth [Public]

Sylvain Girod s.girod at cerberis.com
Fri Mar 2 10:16:49 EST 2012


Hi,

I’m trying to use smartcard authentication with a Microsoft Active Directory. I have install pam_pkcs11 for obtaining the username, then pam_krb5 for doing this Kerberos authentication.

My tests are on a Ubuntu 10.04 LTS and it is joined to Active Directory, and all work fine when I authenticate with a password.

All seem ok, I get an AS-REP with a ticket, but I have an error:

pam_krb5(login:auth): (user Administrateur) krb5_get_init_creds_password: Decrypt integrity check failed

I found this error say it can’t decrypt the ticket in the AS-REP. What is the possible cause for this issue ?

Here is my pam:

auth [success=ok authinfo_unavail=1 ignore=1 default=1] pam_pkcs11.so nullok
auth      [success=ok default=die] pam_krb5.so  use_first_pass
auth      [success=1 default=ignore]        pam_unix.so nullok_secure
auth      requisite                                             pam_deny.so
auth      required                                             pam_permit.so


And my krb5.conf:

[logging]
default=/var/log/krb5.log
[libdefaults]
default_realm = FIM.LOCAL
default_tgs_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
default_tkt_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
passwd_check_s_address = false
noaddresses = true
udp_preference_limit = 1
ccache_type = 3
kdc_timesync = 0
[domain_realm]
.fim.local = FIM.LOCAL
fim.local = FIM.LOCAL
fimad.fim.local = FIM.LOCAL
ubuntu1004.fim.local = FIM.LOCAL
[realms]
FIM.LOCAL = {
kdc = fimad.fim.local:88
master_kdc = fimad.fim.local:88
kpasswd = fimad.fim.local:464
kpasswd_server = fimad.fim.local:464
}
[appdefaults]
pam = {
  try_pkinit=true
  pkinit_anchors=FILE:/etc/pam_pkcs11/cacerts/ca.pem
  pkinit_user=PKCS11:/usr/lib/pkcs11/libgclib.so
  pkinit_revoke=FILE:/etc/pam_pkcs11/crls/crl.pem
  forwardable = true
  debug = true
  ticket-lifetime = 3600
  renew-lifetime = 3600
}


Best Regards,
Sylvain Girod


Ce message a été classé Publique par Sylvain Girod le vendredi 2 mars 2012.
Les labels de classification ont été ajoutés par Titus Message Classification.



Sylvain Girod
Consultant

[http://www.cerberis.com/images/structure/logoForExclaimer.jpg]<http://www.cerberis.com>


Tel : +33 4 76 21 17 03
Fax : +33 4 76 84 68 10
Email : s.girod at cerberis.com
Blog : www.interoperability-blog.com/<http://www.interoperability-blog.com/>
CERBERIS  www.cerberis.com<http://www.cerberis.com>
30 cours de la libération 38100 Grenoble France

[cid:imageee2fe5.PNG at 17478d68.4f8b835b] Contactez-nous directement en WebChat<http://messenger.providesupport.com/messenger/cerberis.html?ps_s=nbvSKgRe9zn5>





 
 
--
This message has been scanned for viruses and dangerous content by CronLab
(www.cronlab.com), and is believed to be clean.



More information about the Kerberos mailing list