Fwd: FW: kinit failing when AD user joining using smaercard PIN on ubuntu 20.04

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Mar 3 06:44:30 EST 2021


>I rectified the pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com
>tested again but it throws error regarding "no acceptable EKU in KDC
>cert"
>
>I read the link you sent in the below mail, it says setting
>pkinit_eku_checking is not necessary.

Well, hm, I am not the expert on how AD realms and their certificates
are normally created.  I was under the impression that normally the
correct EKU is placed in the certificate, but maybe that didn't happen
in this case.  You COULD get a copy of the KDC certificate (just the
public portion, of course) and examine it with the openssl command-line
tools if you want to verify that.

Anyway, you should be able to solve this with the pkinit_eku_checking
client configuration option (it goes in the same section as
pkinit_kdc_hostname).  There are three possible values for this
entry: kpKDC (the default), kpServerAuth, and none.  So since kpKDC
doesn't work for you, I'd try kpServerAuth.  "none" is always an
option, but is not recommended.  With the PKI deployments I work
with, we have to use kpServerAuth (in theory we can get a certificate
with the correct EKU and the id-pkinit-san, but sadly there is a bug
in the generated encoding they produce so it doesn't work).

--Ken


More information about the Kerberos mailing list