pkinit and AD 2008
Jeffrey Hutzelman
jhutz at cmu.edu
Mon Jun 30 14:54:22 EDT 2008
--On Friday, June 27, 2008 12:05:41 PM -0400 Olga Kornievskaia
<aglo at citi.umich.edu> wrote:
> 3. dnsName in the KDC's certificate doesn't match the hostname specified
> in your krb5.conf
Um. Why would you expect that? PKINIT contains no requirement that the
KDC's certificate contain a dnsName, nor that it match any particular
hostname if it is present. The only requirement is for an id-pkinit-san
matching the name of the realm's TGS.
-- Jeff
More information about the krbdev
mailing list