FW: kinit failing when AD user joining using smaercard PIN on ubuntu 20.04

Vikram Yadav vikrampal at gmail.com
Wed Mar 3 07:07:42 EST 2021 

I updated pkinit_eku_checking = none & got this error. Please let me
know what's going on and what's the remedy?

Regards,
Vikram

On Wed, 3 Mar 2021 at 17:27, Vikram Yadav <vikrampal at gmail.com> wrote:
>
> PFA the latest logs.
>
> I'm able to enter the PIN then this log is generated. Please let us
> know what is the next step?
>
> Regards,
> Vikram
>
> On Wed, 3 Mar 2021 at 16:20, Vikram Yadav <vikrampal at gmail.com> wrote:
> >
> > Hello Ken,
> >
> > Thanks for your kind response!
> >
> > I rectified the pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com
> > tested again but it throws error regarding "no acceptable EKU in KDC
> > cert"
> >
> > I read the link you sent in the below mail, it says setting
> > pkinit_eku_checking is not necessary.
> >
> > What should we do now?
> >
> > Regards,
> > Vikram
> >
> > -----Original Message-----
> > From: Ken Hornstein <kenh at cmf.nrl.navy.mil>
> > Sent: Tuesday, March 2, 2021 7:59 PM
> > To: Pal, Vikram
> > Cc: kerberos at mit.edu; Agrawal, Rajeev; Shastry, Shashiraja;
> > Rajagopalan, SrinivasaRagavan; Venkatesh, Ramanujam
> > Subject: Re: kinit failing when AD user joining using smaercard PIN on
> > ubuntu 20.04
> >
> >
> > [EXTERNAL EMAIL]
> >
> > >PFA the Kerberos logs got while running kinit command.  Could you
> > >please help us understand as to where we ae going here & what should we
> > >do to make it work?
> >
> > Well, you COULD have included them as text rather than a picture :-)
> > But, fine.  I see you get a PIN prompt, but I'm not clear if you
> > actually had the chance to enter in a PIN or not.  Also, I see this:
> >
> > PKINIT no anchor CA in file /etc/ssl/ca-pem/root//blrdhcdev.cer
> >
> > And that file extension makes me think the certificate there is in DER
> > format, not PEM.  But I think your REAL problem is down below:
> >
> > PKINIT client config accepts KDC dNSName SAN BLRDHCDEV.COM PKINIT
> > client found dNSName SAN in KDC cert: blrdhcdev-ad.blrdhcdev.com
> > PKINIT client found no acceptable SAN in KDC cert
> >
> > You can read about the PKINIT client configuration here:
> >
> >         https://web.mit.edu/kerberos/krb5-1.17/doc/admin/pkinit.html
> >
> > The key section is down where it says "Configuring the clients".
> > It looks like you have
> >
> >         pkinit_kdc_hostname = BLRDHCDEV.COM
> >
> > But it really should be
> >
> >         pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com
> >
> > (and you need one of those for each of your AD server hostnames).
> >
> > This is the configuration that tells the client that it can trust the
> > KDC certificate.  If you don't have the KDC certificate with the
> > special extensions that say, "This certificate is valid for your
> > realm", then your client needs to be configured to say, "This set of
> > certificates is valid for a KDC certificate".  And you need to
> > explicitly list every dNSName in your client.  That's what
> > pkinit_kdc_hostname does.
> >
> > --Ken

More information about the Kerberos mailing list