kinit failing when AD user joining using smaercard PIN on ubuntu 20.04

Pal, Vikram Vikram.Yadav at dell.com
Tue Mar 2 05:47:36 EST 2021



-----Original Message-----
From: Pal, Vikram 
Sent: Tuesday, March 2, 2021 2:06 PM
To: Ken Hornstein
Cc: kerberos at mit.edu
Subject: RE: kinit failing when AD user joining using smaercard PIN on ubuntu 20.04

Hello Ken,

I tried again according to your suggestion but I'm not getting any logging info in =/tmp/kinit.log

Am I missing something here?

Regards,
Vikram

-----Original Message-----
From: Ken Hornstein <kenh at cmf.nrl.navy.mil> 
Sent: Tuesday, March 2, 2021 1:10 AM
To: Pal, Vikram
Cc: kerberos at mit.edu
Subject: Re: kinit failing when AD user joining using smaercard PIN on ubuntu 20.04


[EXTERNAL EMAIL] 

>We are login to Ubuntu 20.04 device using smartcard PIN. We are able to 
>login as AD user successfully.  We are using Windows 2019 AD Server.

So, I don't know what this means.  I suspect that Kerberos isn't working correctly here and you'll falling back to something else.

>We tried kinit manually but it's throwing error. It asks for PIN but 
>immediately asks for password without waiting for pin to be entered.

So ... there are a LOT of ways for PKINIT to go wrong (that's the protocol you use when using a smartcard), especially when a PKCS#11 module is involved, and some of the failure modes end up causing weird things to happen (and many of them cause fallbacks to a password prompt).  But I'm not sure why you're running "sudo kinit [...]"; shouldn't you just run kinit without sudo?  I am wondering if sudo is causing the PIN prompt and kinit is giving your the password prompt.

My suggestion is to run kinit again with the environment variable KRB5_TRACE set to point to a debug file.  E.g:

env KRB5_TRACE=/tmp/kinit.log kinit [extra kinit options here]

That might point you to what is going wrong.

--Ken



More information about the Kerberos mailing list