kinit failing when AD user joining using smaercard PIN on ubuntu 20.04
Ken Hornstein
kenh at cmf.nrl.navy.mil
Tue Mar 2 09:28:35 EST 2021
>PFA the Kerberos logs got while running kinit command. Could you please
>help us understand as to where we ae going here & what should we do to
>make it work?
Well, you COULD have included them as text rather than a picture :-)
But, fine. I see you get a PIN prompt, but I'm not clear if you actually
had the chance to enter in a PIN or not. Also, I see this:
PKINIT no anchor CA in file /etc/ssl/ca-pem/root//blrdhcdev.cer
And that file extension makes me think the certificate there is in DER
format, not PEM. But I think your REAL problem is down below:
PKINIT client config accepts KDC dNSName SAN BLRDHCDEV.COM
PKINIT client found dNSName SAN in KDC cert: blrdhcdev-ad.blrdhcdev.com
PKINIT client found no acceptable SAN in KDC cert
You can read about the PKINIT client configuration here:
https://web.mit.edu/kerberos/krb5-1.17/doc/admin/pkinit.html
The key section is down where it says "Configuring the clients".
It looks like you have
pkinit_kdc_hostname = BLRDHCDEV.COM
But it really should be
pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com
(and you need one of those for each of your AD server hostnames).
This is the configuration that tells the client that it can trust the
KDC certificate. If you don't have the KDC certificate with the special
extensions that say, "This certificate is valid for your realm",
then your client needs to be configured to say, "This set of certificates
is valid for a KDC certificate". And you need to explicitly list every
dNSName in your client. That's what pkinit_kdc_hostname does.
--Ken
More information about the Kerberos
mailing list