[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKINIT cannot kinit

Title:
Love wrote:
Sujeevan Rasaratnam <sujeevan.rasaratnam@alcatel.com> writes:

  
Hi,
 I recently downloaded the PKINIT patch for Heimdal 0.5 and compiled it with
pkinit enabled but without smart card support or Globus support. I used the
usual heimdal process to initialize the realm and created a user called
"sujeevan" using "kadmin -l". When I do a kinit i get "kinit:
krb5_get_init_creds: Client name mismatch" and in the /var/log/krb5kdc.log
"PKI client is not authorized to use principal sujeevan@TEST". I need help
getting pkinit to work.
    

You need to add yourself to [kdc]pki-allowed-principals section, look at
the webpage.

[kdc]
	pki-allowed-principals = {
		krb5-princ1 = X.500-name1
		...
	}

My [kdc] section have this in it.

[kdc]
	pki-allowed-principals = {
		lha@N.L.NXS.SE = /C=SE/O=Stockholm universitet/CN=Love/UID=lha
		lha@N.L.NXS.SE = CN=Love/UID=lha
	}


Love

PS there is a update patch for heimdal 0.6, but I don't think its on the
webpage, Daniel Kouril gave it to me, but I can't find it right now.
Thanks for the reply. I have a simlar entry in my kdc.conf . You have two entry for on principal, is there a reason? Do I have to add some extentison in X.500-name? Do I have to setup something with kadmin?

=================kdc.conf===============
[realms]
 TEST = {
  supported_keytypes = des:normal
 }
[kdc]
enable-pkinit = yes
pki-certificate = /etc/pkinit/keys/kdc_cert.pem
pki-private-key = /etc/pkinit/keys/kdc_priv.pem
pki-ca-dir = /etc/pkinit/ca
pki-allowed-principals = {
   sujeevan@TEST = C=CA/ST=Ontario/O=Alcatel Canada/OU=R&I Sec/CN=Sujeevan Rasaratnam/emailAddress=sujeevan.rasaratnam@alcatel.com
}
=========================================
OS: RedHat Linux 9 (x86) kernal 2.4.20-8
OpenSSL 0.9.7a

-- 
Sujeevan Rasaratnam
Alcatel Canada - R&I - Security group
600 March Road - Kanata, ON, Canada K2K 2E6
Phone: +1 613 784 3276 Fax: +1 613 784 8944
http://aww.alcatel.com/ri/SEC