[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKINIT cannot kinit

Sujeevan Rasaratnam <sujeevan.rasaratnam@alcatel.com> writes:

> Hi,
>  I recently downloaded the PKINIT patch for Heimdal 0.5 and compiled it with
> pkinit enabled but without smart card support or Globus support. I used the
> usual heimdal process to initialize the realm and created a user called
> "sujeevan" using "kadmin -l". When I do a kinit i get "kinit:
> krb5_get_init_creds: Client name mismatch" and in the /var/log/krb5kdc.log
> "PKI client is not authorized to use principal sujeevan@TEST". I need help
> getting pkinit to work.

You need to add yourself to [kdc]pki-allowed-principals section, look at
the webpage.

	pki-allowed-principals = {
		krb5-princ1 = X.500-name1

My [kdc] section have this in it.

	pki-allowed-principals = {
		lha@N.L.NXS.SE = /C=SE/O=Stockholm universitet/CN=Love/UID=lha
		lha@N.L.NXS.SE = CN=Love/UID=lha


PS there is a update patch for heimdal 0.6, but I don't think its on the
webpage, Daniel Kouril gave it to me, but I can't find it right now.

PGP signature