set_string/pkinit_cert_match
Pallissard, Matthew
kerberos at pallissard.net
Thu Dec 28 14:05:33 EST 2017
I'm having issues when trying to use set_string with pkinit_cert_match. PKINIT does work when the SAN matches the user's principal explicitly. It does not work when I try to map it to a user where the principal does not match the SAN.
I'm using MIT kerberos 1.16 on both clients and servers.
The KDC replies with 'Received error from KDC: -1765328309/Client name mismatch' no matter what I try to match on.
I've tried several variations (with/without whitespace, commas escaped, with/without quotes, explicit fields, wildcards, etc)
set_string differentuser pkinit_cert_match <SAN>.*@PALLISSARD.NET
set_string differentuser pkinit_cert_match <SAN>.*
set_string differentuser pkinit_cert_match <SAN>user at PALLISSARD.NET
set_string differentuser pkinit_cert_match "<SUBJECT>C=US,ST=Full,O=Subject,OU=line,CN=user"
set_string differentuser pkinit_cert_match "<SUBJECT>.*CN=user"
'pkinit_eku_checking = none' is set on the KDC. I've tried it in the [kdcdefaults] section as well as the realm specific sub-section of [realms].
Am I missing something here? Thanks in advance.
Matt Pallissard
More information about the Kerberos
mailing list