X.509 preauth
Pascal Jakobi
pascal.jakobi at gmail.com
Fri Oct 30 18:14:56 EDT 2015
Hi there
I am trying to run pkinit/X.509 with the standard MIT rpms delivered on
CentOS/Fedora/RHEL.
I have created the certificates with OpenSSL, everything looks fine - I
have a client cert such as/C=FR/L=Gennevilliers/O=Thales/CN=Toto, and
the corresponding KDC cert and CA cert have been checked.
I also modified the principal with kadmin : "modprinc +requires_preauth
toto".
I run kinit for the "toto" principal with KRB5_TRACE set. I can see that
the KDC sends the following to the client :
[6832] 1446241709.215007: Processing preauth types: 136, 19, 2, 133
PA-PK-AS-REQ (16), which I understand is for X.509 certificate
preauthentication, is not in the list.
I guess something is therefore wrong on my KDC configuration, but I
cannot see what.
Can someone enlight me ?
Thanks in advance
--
Pascal Jakobi <mailto:pascal.jakobi at gmail.com>
116 rue de Stalingrad, 93100 Montreuil
France
Tel : +33 6 87 47 58 19
-------------- next part --------------
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
kdc = SYSLOG:DEBUG:LOCAL1
admin_server = FILE:/var/log/kerberos/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = THALES.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
THALES.COM = {
kdc = kdc.jakobi.fr
admin_server = kdc.jakobi.fr
pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
pkinit_identities = FILE:/var/kerberos/krb5kdc/kdccert.pem, /var/kerberos/krb5kdc/kdckey.pem
}
[domain_realm]
.jakobi.fr = THALES.COM
jakobi.fr = THALES.COM
More information about the krbdev
mailing list