set_string/pkinit_cert_match

Pallissard, Matthew kerberos at pallissard.net
Thu Dec 28 14:05:33 EST 2017


I'm having issues when trying to use set_string with pkinit_cert_match.   PKINIT does work when the SAN matches the user's principal explicitly.  It does not work when I try to map it to a user where the principal does not match the SAN.

I'm using MIT kerberos 1.16 on both clients and servers.

The KDC replies with 'Received error from KDC: -1765328309/Client name mismatch' no matter what I try to match on.

I've tried several variations (with/without whitespace, commas escaped, with/without quotes, explicit fields, wildcards, etc)

set_string differentuser pkinit_cert_match <SAN>.*@PALLISSARD.NET
set_string differentuser pkinit_cert_match <SAN>.*
set_string differentuser pkinit_cert_match <SAN>user at PALLISSARD.NET
set_string differentuser  pkinit_cert_match "<SUBJECT>C=US,ST=Full,O=Subject,OU=line,CN=user"
set_string differentuser  pkinit_cert_match "<SUBJECT>.*CN=user"


'pkinit_eku_checking = none' is set on the KDC.   I've tried it in the [kdcdefaults] section as well as the realm specific sub-section of [realms].


Am I missing something here?  Thanks in advance.



Matt Pallissard


More information about the Kerberos mailing list