[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKINIT cannot kinit

To: Sujeevan Rasaratnam <sujeevan.rasaratnam@alcatel.com>
Subject: Re: PKINIT cannot kinit
From: Love <lha@stacken.kth.se>
Date: Wed, 17 Dec 2003 19:56:04 +0100
Cc: heimdal-discuss@sics.se
In-Reply-To: <3FE09F3A.3040805@alcatel.com> (Sujeevan Rasaratnam's messageof "Wed, 17 Dec 2003 13:23:54 -0500")
References: <3FE09F3A.3040805@alcatel.com>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/21.3 (berkeley-unix)

Sujeevan Rasaratnam <sujeevan.rasaratnam@alcatel.com> writes:

> Hi,
> 狢 recently downloaded the PKINIT patch for Heimdal 0.5 and compiled it with
> pkinit enabled but without smart card support or Globus support. I used the
> usual heimdal process to initialize the realm and created a user called
> "sujeevan" using "kadmin -l". When I do a kinit i get "kinit:
> krb5_get_init_creds: Client name mismatch" and in the /var/log/krb5kdc.log
> "PKI client is not authorized to use principal sujeevan@TEST". I need help
> getting pkinit to work.

You need to add yourself to [kdc]pki-allowed-principals section, look at
the webpage.

[kdc]
	pki-allowed-principals = {
		krb5-princ1 = X.500-name1
		...
	}

My [kdc] section have this in it.

[kdc]
	pki-allowed-principals = {
		lha@N.L.NXS.SE = /C=SE/O=Stockholm universitet/CN=Love/UID=lha
		lha@N.L.NXS.SE = CN=Love/UID=lha
	}

Love

PS there is a update patch for heimdal 0.6, but I don't think its on the
webpage, Daniel Kouril gave it to me, but I can't find it right now.

PGP signature

Follow-Ups:
- Re: PKINIT cannot kinit
  - From: Sujeevan Rasaratnam <sujeevan.rasaratnam@alcatel.com>
- Re: PKINIT cannot kinit
  - From: Daniel Kouril <kouril@ics.muni.cz>

References:
- PKINIT cannot kinit
  - From: Sujeevan Rasaratnam <sujeevan.rasaratnam@alcatel.com>

Prev by Date: PKINIT cannot kinit
Next by Date: Re: PKINIT cannot kinit
Prev by thread: PKINIT cannot kinit
Next by thread: Re: PKINIT cannot kinit
Index(es):
- Date
- Thread