[Pki-users] X.509 preauth

Fraser Tweedale ftweedal at redhat.com
Sun Nov 1 22:17:08 UTC 2015


On Fri, Oct 30, 2015 at 11:09:20PM +0100, Pascal Jakobi wrote:
> Hi there
> 
> I am trying to run pkinit/X.509 with the standard MIT rpms delivered on
> CentOS/Fedora/RHEL.
> I have created the certificates with OpenSSL, everything looks fine - I have
> a client cert such as/C=FR/L=Gennevilliers/O=Thales/CN=Toto, and the
> corresponding KDC cert and CA cert have been checked.
> I also modified the principal with kadmin : "modprinc +requires_preauth
> toto".
> 
> I run kinit for the "toto" principal with KRB5_TRACE set. I can see that the
> KDC sends the following to the client :
> 
>    [6832] 1446241709.215007: Processing preauth types: 136, 19, 2, 133
> 
> PA-PK-AS-REQ (16), which I understand is for X.509 certificate
> preauthentication, is not in the list.
> 
> I guess something is therefore wrong on my KDC configuration, but I cannot
> see what.
> Can someone enlight me ?
> Thanks in advance
> 
> -- 
> Pascal Jakobi <mailto:pascal.jakobi at gmail.com>
> 116 rue de Stalingrad, 93100 Montreuil
> France
> Tel : +33 6 87 47 58 19

> [logging]
>  default = FILE:/var/log/kerberos/krb5libs.log
>  kdc = FILE:/var/log/kerberos/krb5kdc.log
>  kdc = SYSLOG:DEBUG:LOCAL1
>  admin_server = FILE:/var/log/kerberos/kadmind.log
> 
> [libdefaults]
>  dns_lookup_realm = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>  rdns = false
>  default_realm = THALES.COM
>  default_ccache_name = KEYRING:persistent:%{uid}
> 
> [realms]
> THALES.COM = {
>   kdc = kdc.jakobi.fr
>   admin_server = kdc.jakobi.fr
>   pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>   pkinit_identities = FILE:/var/kerberos/krb5kdc/kdccert.pem, /var/kerberos/krb5kdc/kdckey.pem
>  }
> 
> [domain_realm]
>  .jakobi.fr = THALES.COM
>  jakobi.fr = THALES.COM

Hi Pascal,

FYI, this mailing list is for Dogtag Certificate System questions.

Anyhow, did you read the MIT Kerberos pkinit guide[1]?  It looks
like the space after the comma in the `pkinit_anchors' directive
should not be there.

[1] http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html#configuring-the-kdc

Cheers,
Fraser

> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users




More information about the Pki-users mailing list