X.509 preauth
Pascal Jakobi
pascal.jakobi at gmail.com
Sat Oct 31 10:06:21 EDT 2015
Thanks for your promptness, but this does not solve (even if necessary) :
kinit pascal -X
pkinit_identities='/etc/pki/krb5/certs/pascal_cert.pem,/etc/pki/krb5/private/pascal_key.pem'
-X509_anchors=/etc/pki/CA/certs/ca_corp_cert.pem -X
X509_user_identity=C=FR,L=Paris,O=Corp,CN=Pascal
[28177] 1446299933.125876: Getting initial credentials for
pascal at THALES.COM
[28177] 1446299933.126101: Sending request (163 bytes) to THALES.COM
[28177] 1446299933.126331: Resolving hostname kdc.jakobi.fr
[28177] 1446299933.129971: Sending initial UDP request to dgram
192.168.1.34:88
[28177] 1446299933.130844: Received answer (199 bytes) from dgram
192.168.1.34:88
[28177] 1446299933.134661: Response was not from master KDC
[28177] 1446299933.134746: Received error from KDC:
-1765328359/Additional pre-authentication required
*[28177] 1446299933.134801: Processing preauth types: 136, 133*
[28177] 1446299933.134810: Received cookie: MIT
[28177] 1446299933.134833: Retrying AS request with master KDC
[28177] 1446299933.134841: Getting initial credentials for
pascal at THALES.COM
[28177] 1446299933.134900: Sending request (163 bytes) to THALES.COM
(master)
kinit: Generic preauthentication failure while getting initial
credentials
Problem is that nothing is logged on the KDC side...
-------------- next part --------------
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = THALES.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
THALES.COM = {
kdc = kdc.jakobi.fr
admin_server = kdc.jakobi.fr
pkinit_anchors = FILE:/etc/pki/CA/certs/ca_corp_cert.pem,/etc/pki/CA/private/ca_corp_key.pem
pkinit_identity = FILE:/etc/pki/krb5/certs/kdc_cert.pem, /etc/pki/krb5/private/kdc_key.pem
}
[domain_realm]
.jakobi.fr = THALES.COM
jakobi.fr = THALES.COM
-------------- next part --------------
[libdefaults]
default_realm = THALES.COM
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
THALES.COM = {
kdc = kdc.jakobi.fr:88
admin_server = kdc.jakobi.fr
default_domain = jakobi.fr
pkinit_anchors = FILE:/etc/pki/CA/certs/ca_corp_cert.pem,/etc/pki/CA/private/ca_corp_key.pem
pkinit_identities = FILE:/etc/pki/krb5/pascal_cert.pem,/etc/pki/krb5/pascal_key.pem
}
JAKOBI.FR = {
kdc = kerberos.jakobi.fr:88
admin_server = kerberos.jakobi.fr
default_domain = jakobi.fr
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = kerberos.andrew.cmu.edu
kdc = kerberos2.andrew.cmu.edu
kdc = kerberos3.andrew.cmu.edu
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.jakobi.fr = THALES.COM
jakobi.fr = THALES.COM
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
-------------- next part --------------
[root at kdc krb5kdc]# openssl x509 -in ca_cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13832453127853859041 (0xbff6bed511f860e1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FR, L=Paris, O=Corp, CN=kdc.jakobi.fr
Validity
Not Before: Oct 31 12:48:00 2015 GMT
Not After : Oct 30 12:48:00 2016 GMT
Subject: C=FR, L=Paris, O=Corp, CN=kdc.jakobi.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b9:41:7a:55:a2:79:af:99:cf:e1:2b:47:0e:bd:
4e:45:bf:24:d3:0a:39:ad:f6:8e:2f:86:36:07:7e:
70:e2:61:7d:85:68:37:b9:fb:1b:1b:f2:88:ad:b5:
bc:7a:dd:62:03:1b:8a:3b:53:e6:38:9f:c5:45:85:
b7:da:fd:92:f8:cc:bd:08:45:60:16:01:f6:5e:43:
e5:c4:2a:5c:24:0d:e1:d9:34:26:2d:2c:96:95:92:
a5:05:db:f6:cc:fc:1d:c4:11:d2:b1:e3:63:08:aa:
05:08:69:15:5a:85:11:34:97:c7:c2:37:40:8e:8a:
2b:a8:bf:61:57:c9:8e:54:2b:d3:de:5e:a3:96:94:
e2:0e:c3:2a:de:69:59:8a:67:aa:43:57:cf:3c:e9:
7d:18:33:cf:f3:65:fb:77:f3:92:41:a3:ae:13:c7:
f1:9e:88:5c:7d:41:51:3d:1d:a0:8c:4c:d0:c7:60:
4f:18:3c:14:76:20:56:74:b7:39:04:f4:cb:97:b7:
af:bb:cf:df:29:4a:22:a2:3c:d8:65:bb:c0:b2:30:
91:68:ab:e0:81:43:9a:31:54:79:e3:a3:c7:55:55:
4d:64:e9:94:7b:cf:d7:25:56:8f:24:63:fb:80:b3:
95:d9:a4:06:01:07:10:85:0c:8d:90:ae:9e:52:78:
26:21
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
6A:98:E8:E8:CA:42:E2:0B:EF:CB:A1:41:16:54:25:B8:F2:1C:56:AA
X509v3 Authority Key Identifier:
keyid:6A:98:E8:E8:CA:42:E2:0B:EF:CB:A1:41:16:54:25:B8:F2:1C:56:AA
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
aa:e7:8d:ab:e7:03:51:71:10:eb:5c:5d:8a:93:40:1a:40:a0:
e1:e9:1e:fb:01:b6:42:45:73:80:cc:be:10:1f:29:42:c3:da:
e2:c5:23:2e:75:2a:da:c7:d8:33:e6:b2:ff:bd:ab:34:53:cb:
dc:90:87:5d:08:fc:33:7a:f4:0c:45:30:4b:ac:1b:50:1a:55:
db:78:44:3c:01:9f:c5:f6:c8:31:ad:ff:b4:08:14:66:db:48:
7f:3d:ed:db:23:41:fd:7f:15:ca:fb:37:8b:ca:15:7f:f9:00:
bd:d8:24:b2:fe:9e:cc:c2:31:bd:59:bf:04:d9:1a:63:cf:d2:
d1:bc:81:ee:ec:35:73:eb:d3:1f:e0:de:dd:01:b3:bf:1b:28:
05:21:d4:32:6a:f4:30:e8:ec:24:26:ef:60:53:3f:98:1d:ae:
7d:2c:0e:a9:5f:3f:a6:d0:08:7d:e6:2f:24:fc:7c:c5:d3:c5:
1b:b3:6b:3e:1f:d9:89:28:54:72:39:8e:ee:1c:97:52:ba:17:
27:2b:d6:f9:9a:1a:25:a5:83:54:b1:aa:be:72:fd:69:6b:8c:
f5:4e:f9:99:42:c7:3e:2b:9e:fa:4e:d6:cd:bb:a7:c5:bf:ad:
c6:27:44:9a:b1:33:d9:68:ee:64:2f:81:38:8e:3b:f7:18:e4:
9e:ba:25:00
[root at kdc krb5kdc]#
[root at kdc krb5kdc]# openssl x509 -in kdc_cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13013707461125528384 (0xb499f9fc7f3cdb40)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, L=Paris, O=Corp, CN=kdc.jakobi.fr
Validity
Not Before: Oct 31 12:55:20 2015 GMT
Not After : Oct 30 12:55:20 2016 GMT
Subject: C=FR, L=Paris, O=Thales, CN=kdc.jakobi.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ed:ad:bc:fe:39:19:e5:ae:a8:f8:99:91:f9:b5:
7b:62:b1:25:1d:4b:b8:af:c8:b8:e7:6b:54:4b:37:
18:43:f0:cb:77:39:d2:94:d7:f2:e2:8d:99:3f:b3:
dc:42:c2:d7:9a:87:05:90:b0:d6:9a:60:a4:69:9b:
dd:73:86:03:d8:06:4f:e0:96:a5:c7:82:6f:53:15:
eb:d2:f6:9d:d4:58:c7:aa:fc:de:8f:f0:65:07:f8:
79:8c:9a:c6:f5:74:bd:fd:a0:dd:cd:bb:e0:e0:32:
86:84:a3:ba:0b:34:9b:e0:9b:20:04:9d:8e:f8:83:
a7:e5:85:03:2e:0d:29:9d:07:ec:51:54:3c:1d:a3:
05:b7:bb:fe:e3:a5:77:1a:b2:9c:86:19:1d:d9:6c:
ce:97:e7:96:44:42:ed:44:88:34:bf:8a:2e:e4:d9:
a0:68:bc:bf:0b:8d:ea:35:c7:66:36:e9:24:65:ff:
36:01:e6:4e:8d:8d:19:1b:d0:e3:de:2c:09:10:5c:
e2:13:64:b7:ad:40:05:11:c7:a7:5a:54:42:4f:92:
f5:62:e8:a2:70:9e:25:7a:d1:2b:80:3d:bb:0c:0a:
10:6c:be:99:29:09:d2:c4:ef:cf:71:8a:a3:9b:26:
66:fb:00:64:52:69:a8:7b:7a:59:ac:14:80:48:a6:
d5:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
1.3.6.1.5.2.3.5
X509v3 Subject Key Identifier:
DD:48:47:EB:77:76:4A:FF:CD:00:BB:15:71:9B:C6:DD:C7:9E:34:EC
X509v3 Authority Key Identifier:
keyid:6A:98:E8:E8:CA:42:E2:0B:EF:CB:A1:41:16:54:25:B8:F2:1C:56:AA
X509v3 Issuer Alternative Name:
<EMPTY>
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: sha1WithRSAEncryption
83:de:d6:7a:d7:0d:a2:10:8c:81:4a:90:f3:0f:5d:8d:55:1f:
9a:96:36:0d:4f:cc:0c:7d:9b:43:0c:2a:e4:09:10:d4:8c:8f:
15:f2:c2:e9:f0:45:26:11:77:e6:b0:ed:5b:34:5f:df:41:f5:
2c:b6:2c:64:fb:5f:9d:36:76:77:64:82:2d:81:8b:36:46:99:
82:a2:2e:d8:9e:07:79:dc:0d:e1:84:82:99:3e:7f:c0:be:8f:
e2:a8:b9:0f:f7:ad:e2:9a:eb:8b:fd:61:7d:98:b8:04:99:0a:
90:4f:ac:fe:57:ea:a3:57:e9:ec:0e:de:1d:85:12:e2:85:ef:
90:ab:d1:7c:ee:57:ab:69:45:e1:9f:58:57:e1:d8:d0:1e:f8:
1f:32:5f:3b:05:3c:1e:ae:86:ae:26:ba:b0:ba:da:3b:f5:e4:
ae:d9:0f:84:e5:25:c7:ee:e3:10:bc:9e:bf:5f:10:41:9e:44:
ba:3d:cb:5b:da:0a:5d:d4:37:48:b4:d5:bd:31:7f:36:e8:77:
e9:a6:cf:42:65:c4:d3:48:70:22:b9:e8:9d:3e:c6:d6:99:36:
cb:d3:73:4d:b8:65:aa:07:b9:77:ee:a2:38:88:51:ef:0f:b2:
1c:fa:80:3f:a7:39:be:e3:64:ca:83:b0:71:2c:df:c6:0b:c0:
22:b6:1d:7c
[root at kdc krb5kdc]#
[root at kdc krb5kdc]# openssl x509 -in pascal_cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13013707461125528385 (0xb499f9fc7f3cdb41)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, L=Paris, O=Corp, CN=kdc.jakobi.fr
Validity
Not Before: Oct 31 12:59:34 2015 GMT
Not After : Oct 30 12:59:34 2016 GMT
Subject: C=FR, L=Paris, O=Corp, CN=Pascal
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ea:19:6b:ee:76:f5:6d:83:36:56:5a:81:33:ff:
7d:bd:a0:f2:48:53:d4:e6:63:6a:17:66:fe:ca:6a:
2e:1b:2e:b9:41:c1:45:6c:8d:c6:56:b9:f2:56:f4:
55:c3:e3:cf:48:91:49:07:69:4a:75:9a:67:06:69:
67:40:6a:85:2c:e0:db:22:e6:84:04:2d:c4:fd:92:
17:93:9a:f7:9b:ba:7d:95:5a:1d:3b:a2:b1:46:48:
2e:21:c4:13:a2:18:e7:8e:68:3b:ca:07:f6:15:6d:
5c:69:3c:32:72:4d:46:53:65:48:25:a4:86:42:32:
ee:54:00:9e:2e:1b:68:17:7e:8e:fd:78:49:76:19:
27:57:86:33:ff:fd:f8:17:26:8a:0e:c5:27:d9:4f:
15:91:18:c1:d4:ce:12:7f:7d:03:07:38:66:e8:0c:
aa:d0:86:18:1e:2b:7d:c2:b5:c6:70:e6:46:3b:74:
77:e9:f7:a4:9f:c1:1d:98:55:62:aa:c2:69:fa:3c:
d7:a4:96:d3:a8:74:f1:97:92:21:6e:d0:71:35:a1:
fb:01:c0:d9:29:d2:49:ab:d9:ae:55:c4:7c:4f:e8:
27:20:76:77:72:d8:c0:e0:60:11:7c:b3:40:e0:d0:
cd:d8:b7:a7:30:0a:48:aa:f2:4c:cf:56:99:f9:82:
b8:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
1.3.6.1.5.2.3.4
X509v3 Subject Key Identifier:
DA:C0:BB:16:ED:FC:09:CF:02:F3:45:57:28:BB:42:FB:10:C8:EA:1E
X509v3 Authority Key Identifier:
keyid:6A:98:E8:E8:CA:42:E2:0B:EF:CB:A1:41:16:54:25:B8:F2:1C:56:AA
X509v3 Issuer Alternative Name:
<EMPTY>
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: sha1WithRSAEncryption
11:b5:34:b6:bd:28:18:5d:7a:7c:7a:16:b9:c0:5d:f3:9b:7f:
59:66:a1:a7:7a:d3:71:8f:5d:8e:16:ae:85:31:bb:05:7c:fa:
7e:3d:0b:36:ec:2d:42:34:d7:0e:fc:74:da:86:b3:8e:6e:d5:
14:af:51:47:fe:57:1e:f2:40:7d:9d:a6:c9:b8:c4:cd:27:a0:
20:1d:02:8b:61:d5:4e:36:12:8a:2c:a5:98:65:05:2b:49:96:
d0:dc:37:2e:db:4f:a8:0b:d5:7f:f7:27:a9:4f:17:77:d3:28:
44:5d:9f:31:59:8a:df:6e:19:c7:6a:37:fa:46:99:b7:e0:96:
3c:8c:db:e0:6d:8f:a3:ae:86:13:63:8d:48:15:55:39:e3:92:
bc:50:c2:f8:05:e0:68:f7:72:a0:cb:d5:28:b0:b4:9e:23:59:
e5:4c:0c:05:b8:54:87:79:97:98:4b:14:b4:4b:4a:9a:24:e8:
f3:11:82:60:1d:61:d1:b5:13:4e:cb:bb:ba:e0:92:67:4d:9c:
5f:53:48:4b:82:43:4c:f4:63:b9:1b:4d:d6:cc:ab:80:d5:32:
9d:4e:3b:cc:72:a6:39:2c:f2:29:54:af:b1:94:40:f4:41:0a:
cf:78:4c:16:81:f1:b0:ab:f9:14:57:22:1b:d5:d1:b6:a2:68:
0f:88:2b:72
[root at kdc krb5kdc]#
More information about the krbdev
mailing list