Re: pkinit for multiple user support

sasikumar bodathula sasikumar.b at
Wed May 29 02:08:23 EDT 2013

Forgot to mention following in previous e-mail.

some more info Tried kinit with X509_user_pool(Does this exists since kinit did not complain) and X509_user_identity options with DIR (Is this supported or for each user specific file need to be mentioned in the kinit command with FILE:options)

Best Regards,


From: "sasikumar bodathula"<sasikumar.b at>
Sent: Wed, 29 May 2013 11:24:04 
To: "kerberos at MIT.EDU"<kerberos at MIT.EDU>
Subject: pkinit for multiple user support
  I am trying to test multiple user with certificated(pkinit)

Following are the steps were followed

1. In KDC created 2 users testuser and testuser2 and enabled +requires_preauth with modprinc

2. Created CA certificate and KDC certifcate 

krb5.conf in KDC contains
pkinit_identity = FILE:/etc/krb5kdc/kdc.pem,/etc/krb5kdc/kdckey.pem
pkinit_anchors = FILE:/etc/krb5kdc/cacert.pem

3. Created certificate for testuser with CA created in step2

4. Created certificate for testuser2 with CA created in step2

krb5.conf in Client machine
pkinit_pool = DIR:/etc/certificates/usercerts/
pkinit_anchors = DIR:/etc/certificates/usercerts/

Kinit command for testuser

kinit -V -X 
X509_user_pool=DIR:/etc/certificates/usercerts/ -X 
X509_anchors=DIR:/etc/certificates/usercerts/ -X 
flag_RSA_PROTOCOL=yes testuser

Kinit command for testuser2

kinit -V -X 
X509_user_pool=DIR:/etc/certificates/usercerts/ -X 
X509_anchors=DIR:/etc/certificates/usercerts/ -X 
flag_RSA_PROTOCOL=yes testuser2

In both the cases kinit prompts for password

1. If certificated specified instead of directory it works fine does not prompt for password.
2. Both testuser and testuser2 certificated along with CA are placed in same location "/etc/certificates/usercerts/"

Please guide me if I am missing something important in this procedure.

Best Regards,


Get your own FREE website and domain with business email solutions, click here

More information about the Kerberos mailing list