[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit

On Thu, May 29, 2003 at 11:09:25AM +0800, Lun wrote:
> Hi, 
> I am trying to use pkinit to get a ticket from heimdal KDC..
> I use openssl to generate CA certificate and put it in /usr/local/ca/certs
> I also generate KDC certificate and put it in /var/heimdal/certs
> I configured /var/heimdal/kdc.conf and added
> 	enable-pkinit = yes
> 	pki-certificate = /var/heimdal/certs/kdc-cert.pem
> 	pki-private-key = /var/heimdal/certs/kdc-key.pem
> 	pki-ca-dir = /usr/local/ca/certs
> 	pki-allowed-principals = {
> 		ellen = ellen
this looks strange, the right side should be subject name from your X.509
certificate, i.e. output of command:
  'openssl x509 -subject -noout -in user-cert.pem'

However, this is not solution of your problem, I'm affraid.

> 	}
> 	where ellen is the user id in my system and in my user certificate.
> However, when I performed 
> 	kinit -C user-cert.pem -K user-key.pem -D /usr/local/ca/certs
> I got
> 	kinit: krb5_get_init_creds: Unsupported preauthentication type..

The KDC doesn't return the PKINIT preauthentication field filled in. Could
you provide me with the appropriate part of kdc.log?