configure PKINIT on Linux got No realms configured correctly for pkinit support
Vivian zhang
jianz3 at yahoo.com
Thu Jul 25 12:57:18 EDT 2013
Hi Ben,
Thanks for replying. I do have all those three items in my kdc.conf. Here is my kdc.conf:
[kdcdefaults]
kdc_ports = 88
[realms]
BARBW.REALM = {
database_name = /usr/local/var/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/var/krb5kdc/stash
kdc_ports = 88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-cts-hmac-sha1-96
supported_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc
default_principal_flags = +preauth
key_stash_file = /usr/local/var/krb5kdc/.k5.BARBW.REALM
pkinit_identify = FILE:/var/lib/kerberos/krb5kdc/kdc.pem,/var/lib/kerberos/krb5kdc/kdckey.pem
pkinit_anchors = FILE:/var/lib/kerberos/krb5kdc/cacert.pem
kdc_tcp_ports = 88
}
[logging]
kdc = FILE:/var/log/krb5kdc/kdc.log
admin_server = FILE:/var/log/krb5kdc/kadmin.log
[plugins]
kdcpreauth = {
module = pkinit:/usr/lib/krb5/plugins/preauth/pkinit.so
}
Thank you again
Vivian
________________________________
From: Benjamin Kaduk <kaduk at MIT.EDU>
To: Vivian zhang <jianz3 at yahoo.com>
Cc: "krbdev at mit.edu" <krbdev at MIT.EDU>
Sent: Tuesday, July 23, 2013 8:14 PM
Subject: Re: configure PKINIT on Linux got No realms configured correctly for pkinit support
On Tue, 23 Jul 2013, Vivian zhang wrote:
> HI,
>
> I am trying to get my Linux system to support PKINIT.
I followed the instruction on MIT website to generate keys and certificate, etc. I have also installed plugin (Krb5-plugin-preauth-pkinit-1.10.2-3.16.1.i586).
>
> However, it didn't work. There are so little information online to see what it's wrong. Can anybody help? The error I got from KDC log is:
>
> (Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support
> (info): setting up network...
> (info): listening on fd 7: udp 0.0.0.0.88 (pktinfo)
> ..........
>
> Anybody has encounter this problem or knows what's going wrong?
You have seen
http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html
?
Does your kdc.conf contain pkinit_identity, pkinit_anchors, and
kdc_tcp_ports
options?
-Ben Kaduk
More information about the krbdev
mailing list