[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PKINIT - allowed principal format?

Title: PKINIT - allowed principal format?

I'm new to Heimdal, it's the only opensource Kerberos
implementation utilizing PKINIT that I know of, thanks.
Activity looks limited though, what is the status, alternatives,
and expected update on PKINIT?

I've tried laters versions of Heimdal with no luck, so I
assume no version later than 4e (as doc'd :) ) will work
with Heimdal, so I've loaded it and OpenSSL 9.6.g onto Redhat 7.3.
I'm using the pkinit patch right off of pkinit.en.html.
I can make things function up to the point of kinit'ing with the
PKINIT authentication.  I think the problem might be in the
pki-allowed-principals format.  I'm understanding it should be
principal name and cert:


 pki-certificate = /usr/local/ca/testkeys/cacert.pem
 pki-private-key = /usr/local/ca/testkeys/cakey.pem
 pki-ca-dir = /usr/local/ca/certs
 pki-allowed-principals = {
   root = /usr/local/ca/testkeys/cacert.pem

The kinit for root results in:

kinit:  krb5_get_init_creds:  Unknown error 4294967295