kinit failing when AD user joining using smaercard PIN on ubuntu 20.04
Ken Hornstein
kenh at cmf.nrl.navy.mil
Mon Mar 1 14:39:58 EST 2021
>We are login to Ubuntu 20.04 device using smartcard PIN. We are able to
>login as AD user successfully. We are using Windows 2019 AD Server.
So, I don't know what this means. I suspect that Kerberos isn't working
correctly here and you'll falling back to something else.
>We tried kinit manually but it's throwing error. It asks for PIN but
>immediately asks for password without waiting for pin to be entered.
So ... there are a LOT of ways for PKINIT to go wrong (that's the protocol
you use when using a smartcard), especially when a PKCS#11 module is
involved, and some of the failure modes end up causing weird things
to happen (and many of them cause fallbacks to a password prompt). But
I'm not sure why you're running "sudo kinit [...]"; shouldn't you just
run kinit without sudo? I am wondering if sudo is causing the PIN
prompt and kinit is giving your the password prompt.
My suggestion is to run kinit again with the environment variable
KRB5_TRACE set to point to a debug file. E.g:
env KRB5_TRACE=/tmp/kinit.log kinit [extra kinit options here]
That might point you to what is going wrong.
--Ken
More information about the Kerberos
mailing list