[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PKINIT

To: heimdal-discuss@sics.se
Subject: PKINIT
From: Alberto Fondi <alberto.fondi@lnf.infn.it>
Date: Mon, 04 Dec 2006 16:20:43 +0100
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla Thunderbird 1.5.0.8 (Windows/20061025)

Hi group,

    I'm trying pkinit but it cant' make it to work,

I set the kdc certificate and client to the files kdc.crt and kdc.key 
from the directory lib/hx509/data

Then i created a user named pino under the domain LNF.INFN.IT and the I 
set the pki-mapping file as

pino@LNF.INFN.IT:CN=pkinit,C=SE,

then my configuration file look as:

[logging]
 kdc = FILE:/var/heimdal/kdc.log

[libdefaults]
 default_realm = LNF.INFN.IT

[realms]
 LNF.INFN.IT = {
  kdc = shishi.lnf.infn.it:88
 }

[domain_realm]
  lnf.infn.it = LNF.INFN.IT
 .lnf.infn.it = LNF.INFN.IT

[kdc]
 enable-pkinit = yes
 pki-identity = 
FILE:/home/alberto/heimdal-0.8-rc1/lib/hx509/data/kdc.crt,/home/alberto/heimdal-0.8-rc1/lib/hx509/data/kdc.key
 pki-anchors = FILE:/home/alberto/heimdal-0.8-rc1/lib/hx509/data/ca.crt

[appdefaults]
  pkinit-anchors = FILE:/home/alberto/heimdal-0.8-rc1/lib/hx509/data/ca.crt



when i run kdc and the i try

 bin/kinit -C 
FILE:/home/alberto/heimdal-0.8-rc1/lib/hx509/data/pkinit.crt,/home/alberto/heimdal-0.8-rc1/lib/hx509/data/pkinit.key 
pino@LNF.INFN.IT


in my log i get:


KDC started
2006-12-04T16:21:36 AS-REQ pino@LNF.INFN.IT from IPv4:192.84.130.195 for 
krbtgt/LNF.INFN.IT@LNF.INFN.IT
2006-12-04T16:21:36 Client sent patypes: PK-INIT(ietf)
2006-12-04T16:21:36 Looking for PKINIT pa-data -- pino@LNF.INFN.IT
2006-12-04T16:21:36 PK-INIT request of type PK-INIT-IETF
2006-12-04T16:21:36 Trying to authorize subject DN CN=pkinit,C=SE
2006-12-04T16:21:36 Found matching PK-INIT FILE ACL
2006-12-04T16:21:36 PKINIT pre-authentication succeeded -- 
pino@LNF.INFN.IT using CN=pkinit,C=SE
2006-12-04T16:21:36 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5,
 arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc
2006-12-04T16:21:36 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2006-12-04T16:21:37 PK-INIT using dh RFC2412-MODP-group2
2006-12-04T16:21:37 AS-REQ authtime: 2006-12-04T16:21:36 starttime: 
unset endtime: 2006-12-05T02:21:36 renew till: unset
2006-12-04T16:21:37 sending 156 bytes to IPv4:192.84.130.195
2006-12-04T16:21:37 AS-REQ pino@LNF.INFN.IT from IPv4:192.84.130.195 for 
krbtgt/LNF.INFN.IT@LNF.INFN.IT
2006-12-04T16:21:37 Client sent patypes: PK-INIT(ietf)
2006-12-04T16:21:37 Looking for PKINIT pa-data -- pino@LNF.INFN.IT
2006-12-04T16:21:37 PK-INIT request of type PK-INIT-IETF
2006-12-04T16:21:37 Trying to authorize subject DN CN=pkinit,C=SE
2006-12-04T16:21:37 Found matching PK-INIT FILE ACL
2006-12-04T16:21:37 PKINIT pre-authentication succeeded -- 
pino@LNF.INFN.IT using CN=pkinit,C=SE
2006-12-04T16:21:37 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5,
 arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc
2006-12-04T16:21:37 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2006-12-04T16:21:38 PK-INIT using dh RFC2412-MODP-group2
2006-12-04T16:21:38 AS-REQ authtime: 2006-12-04T16:21:37 starttime: 
unset endtime: 2006-12-05T02:21:36 renew till: unset
2006-12-04T16:21:38 sending 2386 bytes to IPv4:192.84.130.195


and the error message

kinit: krb5_get_init_creds: PKINIT: Failed decoding windows pkinit reply 
1859794441


what can i do?

Follow-Ups:
- Re: PKINIT
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Using GSSAPI with specific providers
Next by Date: Re: Using GSSAPI with specific providers
Prev by thread: Re: Using GSSAPI with specific providers
Next by thread: Re: PKINIT
Index(es):
- Date
- Thread