[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKINIT - kinit - "No usable pa data type", any ideas?

To: "Eric Sylvain" <esylvain@cedarpointcom.com>
Subject: Re: PKINIT - kinit - "No usable pa data type", any ideas?
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Tue, 10 May 2005 21:54:05 +0200
Cc: "Douglas E. Engert" <deengert@anl.gov>, heimdal-discuss@sics.se
In-Reply-To: <op.sqkm7onqyogqth@xesylvain.cedarpointcom.com> (Eric Sylvain'smessage of "Tue, 10 May 2005 14:05:38 -0400")
References: <op.sqibxdpbyogqth@xesylvain.cedarpointcom.com><20050509141341.GC16633@acamara.ics.muni.cz><op.sqkeg7f1yogqth@xesylvain.cedarpointcom.com><4280E23C.1040509@anl.gov><op.sqkm7onqyogqth@xesylvain.cedarpointcom.com>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix)


I finally got time to complete the update the pk-init code.

Tonights snapshot includes support for pkinit-9 (windows), pkinit-19
(apple, untested), and pkinit-25 (encKey only, no DH).

I've tested it with a winows w2k DC and heimdal kdc (-9, -19, and -25).

Both kinit/libkrb5 and KDC got updated, the KDC didn't have -9 support
before.

Love


"Eric Sylvain" <esylvain@cedarpointcom.com> writes:

> OK, I see...  The maillist suggested using "win2k_pkinit = false"
> in krb5.conf and it seems that I am now getting a propper
> KRB5_PADATA_PK_AS_REQ_19
>
> Reference discussion:
> http://www.stacken.kth.se/lists/heimdal-discuss/2005-04/msg00084.html
>
> Thank you for your help....
>
> (I'm currently getting a "password incorrect" issue, but it may
>   have something to do with the way I setup mt certificates...)
>
> Eric
>
> On Tue, 10 May 2005 12:33:00 -0400, Douglas E. Engert
> <deengert@anl.gov>  wrote:
>
>>
>>
>> Eric Sylvain wrote:
>>
>>>  I tried the included patch, without luck. :(
>>>  I added debug to the kdc and see that the request
>>> is coming in with type set to "15", which is
>>> KRB5_PADATA_PK_AS_REP_19, or KRB5_PADATA_PK_AS_REQ_WIN,
>>> but your patch checks for KRB5_PADATA_PK_AS_REQ_19
>>> (previous to patch it checked for KRB5_PADATA_PK_AS_REQ)
>>>  Is this a kinit or kdc issue?
>>
>> The code is trying to support 3 versions of the PKINIT drafts,
>> draft 9 that Windows uses, draft 19, and draft 25. Between
>> 19 and 25 the PA-PK-AS-REQ changed from 14 to 16.
>> and the PA-PK-AS-REP from 15 to 17. (I think if the REQ is 15
>> it is a bug, as the PA-PK-AS-REP would have been 15, or 17.)
>>
>> (I have not tried the KDC, but only the client to Windows AD.)
>>
>> I thought I saw something on this on the list too.
>>
>>>  Eric
>>>  On Mon, 09 May 2005 10:13:41 -0400, Daniel Kouril
>>> <kouril@ics.muni.cz>  wrote:
>>>
>>>> On Mon, May 09, 2005 at 08:06:39AM -0400, Eric Sylvain wrote:
>>>>
>>>>> I have a problem getting "kinit" to work. It exits with
>>>>> the following error:
>>>>>
>>>>>    kinit: krb5_get_init_creds: No usable pa data type
>>>>
>>>>
>>>> Try the patch enclosed,
>>>>
>>>> Dan
>>>
>>
>
>
>
> -- 
> Eric Sylvain

PGP signature

References:
- PKINIT - kinit - "No usable pa data type", any ideas?
  - From: "Eric Sylvain" <esylvain@cedarpointcom.com>
- Re: PKINIT - kinit - "No usable pa data type", any ideas?
  - From: Daniel Kouril <kouril@ics.muni.cz>
- Re: PKINIT - kinit - "No usable pa data type", any ideas?
  - From: "Eric Sylvain" <esylvain@cedarpointcom.com>
- Re: PKINIT - kinit - "No usable pa data type", any ideas?
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: PKINIT - kinit - "No usable pa data type", any ideas?
  - From: "Eric Sylvain" <esylvain@cedarpointcom.com>

Prev by Date: Re: PKINIT - kinit - "No usable pa data type", any ideas?
Next by Date: Re: re-requests of expired keys.
Prev by thread: Re: PKINIT - kinit - "No usable pa data type", any ideas?
Next by thread: Re: PKINIT - kinit - "No usable pa data type", any ideas?
Index(es):
- Date
- Thread