Re: PKINIT + heimdal snapshot: certificate authentication does notwork

[manu <ManuX@rstack.org>]

Hello,

 > My question is: is it configuration problem or PKINIT with Heimdal 
snapshot doesn't work properly?

 From the first tests I've made, it works (with an older snapshot though):

paul@youki:~$ kinit -C 
FILE:/home/paul/certs/paul.crt,/home/paul/private/paul.key
Enter your private key passphrase:
kinit: NOTICE: ticket renewable lifetime is 1 week
paul@youki:~$ klist
Credentials cache: FILE:/tmp/krb5cc_501
        Principal: paul@TEST.FR

  Issued           Expires          Principal
Aug 26 17:17:51  Aug 27 03:17:51  krbtgt/TEST.FR@TEST.FR
paul@youki:~$

KDC log contains:

2004-08-26T17:17:51 AS-REQ paul@TEST.FR from IPv4:192.168.0.10 for 
krbtgt/TEST.FR@TEST.FR
2004-08-26T17:17:51 Looking for PKINIT pa-data -- paul@TEST.FR
2004-08-26T17:17:51 PKINIT pre-authentication succeded -- paul@TEST.FR 
using /C=FR/ST=IDF/O=Internet Widgits Pty 
Ltd/CN=paul/emailAddress=paul@TEST.FR
2004-08-26T17:17:51 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2004-08-26T17:17:51 Requested flags: renewable, proxiable, forwardable
2004-08-26T17:17:51 sending 2578 bytes to IPv4:192.168.0.10

- Is user.key protected by a passphrase?
- Is your file /var/heimdal/pki-mapping properly filled?
- (sorry for this silly question) Did you launch the kinit command 
against a "PKINIT aware" KDC (that is the deamon coming from the 
snapshot)? Has it been launched properly? I've noticed that if the KDC 
can't use its private key (wrong passphrase for instance), it starts all 
the same and you can get tickets with your passwords.

Best regards,

Manu