[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit

To: Lun <ylhuang@csie.nctu.edu.tw>
Subject: Re: pkinit
From: Daniel Kouril <kouril@ics.muni.cz>
Date: Thu, 29 May 2003 09:57:15 +0200
Cc: heimdal-discuss@sics.se
In-Reply-To: <20030529030925.GA77802@ccbsd11.csie.nctu.edu.tw>
References: <20030529030925.GA77802@ccbsd11.csie.nctu.edu.tw>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mutt/1.3.28i

On Thu, May 29, 2003 at 11:09:25AM +0800, Lun wrote:
> Hi, 
> 
> I am trying to use pkinit to get a ticket from heimdal KDC..
> 
> I use openssl to generate CA certificate and put it in /usr/local/ca/certs
> I also generate KDC certificate and put it in /var/heimdal/certs
> I configured /var/heimdal/kdc.conf and added
> 	enable-pkinit = yes
> 	pki-certificate = /var/heimdal/certs/kdc-cert.pem
> 	pki-private-key = /var/heimdal/certs/kdc-key.pem
> 	pki-ca-dir = /usr/local/ca/certs
> 	pki-allowed-principals = {
> 		ellen = ellen
                        ^^^^^
this looks strange, the right side should be subject name from your X.509
certificate, i.e. output of command:
  'openssl x509 -subject -noout -in user-cert.pem'

However, this is not solution of your problem, I'm affraid.

> 	}
> 
> 	where ellen is the user id in my system and in my user certificate.
> 
> However, when I performed 
> 	kinit -C user-cert.pem -K user-key.pem -D /usr/local/ca/certs
> I got
> 	kinit: krb5_get_init_creds: Unsupported preauthentication type..

The KDC doesn't return the PKINIT preauthentication field filled in. Could
you provide me with the appropriate part of kdc.log?

--
Dan

References:
- pkinit
  - From: Lun <ylhuang@csie.nctu.edu.tw>

Prev by Date: pkinit
Next by Date: Re: [Heimdal PATCH] LDAP backend support for OpenLDAP 2.1.x
Prev by thread: pkinit
Next by thread: how to achieve what kinit does programmatically?
Index(es):
- Date
- Thread