Re: pkinit for multiple user support

sasikumar bodathula sasikumar.b at rediffmail.com
Wed May 29 02:08:23 EDT 2013


Forgot to mention following in previous e-mail.

some more info Tried kinit with X509_user_pool(Does this exists since kinit did not complain) and X509_user_identity options with DIR (Is this supported or for each user specific file need to be mentioned in the kinit command with FILE:options)

Best Regards,

B.Sasikumar.


From: "sasikumar bodathula"<sasikumar.b at rediffmail.com>
Sent: Wed, 29 May 2013 11:24:04 
To: "kerberos at MIT.EDU"<kerberos at MIT.EDU>
Subject: pkinit for multiple user support
Hi,
  I am trying to test multiple user with certificated(pkinit)

Following are the steps were followed

1. In KDC created 2 users testuser and testuser2 and enabled +requires_preauth with modprinc

2. Created CA certificate and KDC certifcate 

krb5.conf in KDC contains
pkinit_identity = FILE:/etc/krb5kdc/kdc.pem,/etc/krb5kdc/kdckey.pem
pkinit_anchors = FILE:/etc/krb5kdc/cacert.pem

3. Created certificate for testuser with CA created in step2

4. Created certificate for testuser2 with CA created in step2

krb5.conf in Client machine
pkinit_pool = DIR:/etc/certificates/usercerts/
pkinit_anchors = DIR:/etc/certificates/usercerts/

Kinit command for testuser

kinit -V -X 
X509_user_pool=DIR:/etc/certificates/usercerts/ -X 
X509_anchors=DIR:/etc/certificates/usercerts/ -X 
flag_RSA_PROTOCOL=yes testuser

Kinit command for testuser2

kinit -V -X 
X509_user_pool=DIR:/etc/certificates/usercerts/ -X 
X509_anchors=DIR:/etc/certificates/usercerts/ -X 
flag_RSA_PROTOCOL=yes testuser2

In both the cases kinit prompts for password

NOTE:- 
1. If certificated specified instead of directory it works fine does not prompt for password.
2. Both testuser and testuser2 certificated along with CA are placed in same location "/etc/certificates/usercerts/"

Please guide me if I am missing something important in this procedure.

Best Regards,

B.Sasikumar.

Get your own FREE website and domain with business email solutions, click here


More information about the Kerberos mailing list