Fwd: FW: kinit failing when AD user joining using smaercard PIN on ubuntu 20.04

Vikram Yadav vikrampal at gmail.com
Wed Mar 3 05:50:27 EST 2021 

Hello Ken,

Thanks for your kind response!

I rectified the pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com
tested again but it throws error regarding "no acceptable EKU in KDC
cert"

I read the link you sent in the below mail, it says setting
pkinit_eku_checking is not necessary.

What should we do now?

Regards,
Vikram

-----Original Message-----
From: Ken Hornstein <kenh at cmf.nrl.navy.mil>
Sent: Tuesday, March 2, 2021 7:59 PM
To: Pal, Vikram
Cc: kerberos at mit.edu; Agrawal, Rajeev; Shastry, Shashiraja;
Rajagopalan, SrinivasaRagavan; Venkatesh, Ramanujam
Subject: Re: kinit failing when AD user joining using smaercard PIN on
ubuntu 20.04


[EXTERNAL EMAIL]

>PFA the Kerberos logs got while running kinit command.  Could you
>please help us understand as to where we ae going here & what should we
>do to make it work?

Well, you COULD have included them as text rather than a picture :-)
But, fine.  I see you get a PIN prompt, but I'm not clear if you
actually had the chance to enter in a PIN or not.  Also, I see this:

PKINIT no anchor CA in file /etc/ssl/ca-pem/root//blrdhcdev.cer

And that file extension makes me think the certificate there is in DER
format, not PEM.  But I think your REAL problem is down below:

PKINIT client config accepts KDC dNSName SAN BLRDHCDEV.COM PKINIT
client found dNSName SAN in KDC cert: blrdhcdev-ad.blrdhcdev.com
PKINIT client found no acceptable SAN in KDC cert

You can read about the PKINIT client configuration here:

        https://web.mit.edu/kerberos/krb5-1.17/doc/admin/pkinit.html

The key section is down where it says "Configuring the clients".
It looks like you have

        pkinit_kdc_hostname = BLRDHCDEV.COM

But it really should be

        pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com

(and you need one of those for each of your AD server hostnames).

This is the configuration that tells the client that it can trust the
KDC certificate.  If you don't have the KDC certificate with the
special extensions that say, "This certificate is valid for your
realm", then your client needs to be configured to say, "This set of
certificates is valid for a KDC certificate".  And you need to
explicitly list every dNSName in your client.  That's what
pkinit_kdc_hostname does.

--Ken

More information about the Kerberos mailing list