X.509 preauth

Greg Hudson ghudson at mit.edu
Sat Oct 31 11:45:10 EDT 2015

On 10/31/2015 10:06 AM, Pascal Jakobi wrote:
> Problem is that nothing is logged on the KDC side...

There should be a message at startup, like:

    Oct 29 13:04:46 equal-rites krb5kdc[19021](Error): preauth pkinit
    failed to initialize: No realms configured correctly for pkinit

although it isn't as specific as it should be.

> pkinit_identity = FILE:/etc/pki/krb5/certs/kdc_cert.pem, /etc/pki/krb5/private/kdc_key.pem

I don't think the space after the comma there is permitted.  (More
precisely, it's treated as part of the pathname for the key file.)

More information about the krbdev mailing list