X.509 preauth

Pascal Jakobi pascal.jakobi at gmail.com
Fri Oct 30 18:14:56 EDT 2015

Hi there

I am trying to run pkinit/X.509 with the standard MIT rpms delivered on 
I have created the certificates with OpenSSL, everything looks fine - I 
have a client cert such as/C=FR/L=Gennevilliers/O=Thales/CN=Toto, and 
the corresponding KDC cert and CA cert have been checked.
I also modified the principal with kadmin : "modprinc +requires_preauth 

I run kinit for the "toto" principal with KRB5_TRACE set. I can see that 
the KDC sends the following to the client :

    [6832] 1446241709.215007: Processing preauth types: 136, 19, 2, 133

PA-PK-AS-REQ (16), which I understand is for X.509 certificate 
preauthentication, is not in the list.

I guess something is therefore wrong on my KDC configuration, but I 
cannot see what.
Can someone enlight me ?
Thanks in advance

Pascal Jakobi <mailto:pascal.jakobi at gmail.com>
116 rue de Stalingrad, 93100 Montreuil
Tel : +33 6 87 47 58 19

-------------- next part --------------
 default = FILE:/var/log/kerberos/krb5libs.log
 kdc = FILE:/var/log/kerberos/krb5kdc.log
 admin_server = FILE:/var/log/kerberos/kadmind.log

 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = THALES.COM
 default_ccache_name = KEYRING:persistent:%{uid}

  kdc = kdc.jakobi.fr
  admin_server = kdc.jakobi.fr
  pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
  pkinit_identities = FILE:/var/kerberos/krb5kdc/kdccert.pem, /var/kerberos/krb5kdc/kdckey.pem

 .jakobi.fr = THALES.COM
 jakobi.fr = THALES.COM

More information about the krbdev mailing list