[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKINIT cannot kinit

Love wrote:
Sujeevan Rasaratnam <sujeevan.rasaratnam@alcatel.com> writes:

 I recently downloaded the PKINIT patch for Heimdal 0.5 and compiled it with
pkinit enabled but without smart card support or Globus support. I used the
usual heimdal process to initialize the realm and created a user called
"sujeevan" using "kadmin -l". When I do a kinit i get "kinit:
krb5_get_init_creds: Client name mismatch" and in the /var/log/krb5kdc.log
"PKI client is not authorized to use principal sujeevan@TEST". I need help
getting pkinit to work.

You need to add yourself to [kdc]pki-allowed-principals section, look at
the webpage.

	pki-allowed-principals = {
		krb5-princ1 = X.500-name1

My [kdc] section have this in it.

	pki-allowed-principals = {
		lha@N.L.NXS.SE = /C=SE/O=Stockholm universitet/CN=Love/UID=lha
		lha@N.L.NXS.SE = CN=Love/UID=lha


PS there is a update patch for heimdal 0.6, but I don't think its on the
webpage, Daniel Kouril gave it to me, but I can't find it right now.

Thanks for the reply. I have a simlar entry in my kdc.conf . You have two entry for on principal, is there a reason? Do I have to add some extentison in X.500-name? Do I have to setup something with kadmin?

 TEST = {
  supported_keytypes = des:normal
enable-pkinit = yes
pki-certificate = /etc/pkinit/keys/kdc_cert.pem
pki-private-key = /etc/pkinit/keys/kdc_priv.pem
pki-ca-dir = /etc/pkinit/ca
pki-allowed-principals = {
   sujeevan@TEST = C=CA/ST=Ontario/O=Alcatel Canada/OU=R&I Sec/CN=Sujeevan Rasaratnam/emailAddress=sujeevan.rasaratnam@alcatel.com
OS: RedHat Linux 9 (x86) kernal 2.4.20-8
OpenSSL 0.9.7a

Sujeevan Rasaratnam
Alcatel Canada - R&I - Security group
600 March Road - Kanata, ON, Canada K2K 2E6
Phone: +1 613 784 3276 Fax: +1 613 784 8944