FW: kinit failing when AD user joining using smaercard PIN on ubuntu 20.04

Vikram Yadav vikrampal at gmail.com
Wed Mar 3 06:57:28 EST 2021


PFA the latest logs.

I'm able to enter the PIN then this log is generated. Please let us
know what is the next step?

Regards,
Vikram

On Wed, 3 Mar 2021 at 16:20, Vikram Yadav <vikrampal at gmail.com> wrote:
>
> Hello Ken,
>
> Thanks for your kind response!
>
> I rectified the pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com
> tested again but it throws error regarding "no acceptable EKU in KDC
> cert"
>
> I read the link you sent in the below mail, it says setting
> pkinit_eku_checking is not necessary.
>
> What should we do now?
>
> Regards,
> Vikram
>
> -----Original Message-----
> From: Ken Hornstein <kenh at cmf.nrl.navy.mil>
> Sent: Tuesday, March 2, 2021 7:59 PM
> To: Pal, Vikram
> Cc: kerberos at mit.edu; Agrawal, Rajeev; Shastry, Shashiraja;
> Rajagopalan, SrinivasaRagavan; Venkatesh, Ramanujam
> Subject: Re: kinit failing when AD user joining using smaercard PIN on
> ubuntu 20.04
>
>
> [EXTERNAL EMAIL]
>
> >PFA the Kerberos logs got while running kinit command.  Could you
> >please help us understand as to where we ae going here & what should we
> >do to make it work?
>
> Well, you COULD have included them as text rather than a picture :-)
> But, fine.  I see you get a PIN prompt, but I'm not clear if you
> actually had the chance to enter in a PIN or not.  Also, I see this:
>
> PKINIT no anchor CA in file /etc/ssl/ca-pem/root//blrdhcdev.cer
>
> And that file extension makes me think the certificate there is in DER
> format, not PEM.  But I think your REAL problem is down below:
>
> PKINIT client config accepts KDC dNSName SAN BLRDHCDEV.COM PKINIT
> client found dNSName SAN in KDC cert: blrdhcdev-ad.blrdhcdev.com
> PKINIT client found no acceptable SAN in KDC cert
>
> You can read about the PKINIT client configuration here:
>
>         https://web.mit.edu/kerberos/krb5-1.17/doc/admin/pkinit.html
>
> The key section is down where it says "Configuring the clients".
> It looks like you have
>
>         pkinit_kdc_hostname = BLRDHCDEV.COM
>
> But it really should be
>
>         pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com
>
> (and you need one of those for each of your AD server hostnames).
>
> This is the configuration that tells the client that it can trust the
> KDC certificate.  If you don't have the KDC certificate with the
> special extensions that say, "This certificate is valid for your
> realm", then your client needs to be configured to say, "This set of
> certificates is valid for a KDC certificate".  And you need to
> explicitly list every dNSName in your client.  That's what
> pkinit_kdc_hostname does.
>
> --Ken


More information about the Kerberos mailing list