[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PKINIT - kinit - "No usable pa data type", any ideas?
Hi All,
I have a problem getting "kinit" to work. It exits with
the following error:
kinit: krb5_get_init_creds: No usable pa data type
The kdc shows the following log:
2005-05-05T15:19:28 listening on IPv6:::1 port 88/udp
2005-05-05T15:19:28 listening on IPv6:::1 port 88/tcp
2005-05-05T15:19:28 listening on IPv6:::1 port 750/udp
2005-05-05T15:19:28 listening on IPv6:::1 port 750/tcp
2005-05-05T15:19:28 listening on IPv4:127.0.0.1 port 88/udp
2005-05-05T15:19:28 listening on IPv4:192.168.2.155 port 88/udp
2005-05-05T15:19:28 listening on IPv4:127.0.0.1 port 88/tcp
2005-05-05T15:19:28 listening on IPv4:192.168.2.155 port 88/tcp
2005-05-05T15:19:28 listening on IPv4:127.0.0.1 port 750/udp
2005-05-05T15:19:28 listening on IPv4:192.168.2.155 port 750/udp
2005-05-05T15:19:28 listening on IPv4:127.0.0.1 port 750/tcp
2005-05-05T15:19:28 listening on IPv4:192.168.2.155 port 750/tcp
2005-05-05T15:19:53 AS-REQ esylvain@CEDARPOINTCOM.COM from
IPv4:192.168.2.155 for krbtgt/CEDARPOINTCOM.COM@CEDARPOINTCOM.COM
2005-05-05T15:19:53 Looking for PKINIT pa-data --
esylvain@CEDARPOINTCOM.COM
2005-05-05T15:19:53 Looking for ENC-TS pa-data --
esylvain@CEDARPOINTCOM.COM
2005-05-05T15:19:53 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2005-05-05T15:19:53 sending 623 bytes to IPv4:192.168.2.155
Both the kdc and kinit are being run on the same machine based
on Fedora Core 3. I am running from a base of heimdal-20050502.
Here are the specifics of my install, I am just starting to learn
about pkinit, so I will just lay everything out that I have done
so far, please feel free to correct any errors, as it may help
myself and others looking at the mail archives...
(Also, I have a few QUESTIONs below in parens)
1. Used the following link as a reference:
http://people.su.se/~lha/patches/heimdal/pkinit
2. Obtain the http snapshot (use http, as ftp does not seem to work
currently)
http://ftp.pdc.kth.se/pub/heimdal/src/snapshots
download both matching snapshots of heimdal and asn1, for example
heimdal-20050502.tar.gz
asn1-choice-20050502.tar.gz
3. Build and install PKINIT capable Heimdal
cd ~/heimdal-20050502
tar xvzf heimdal-20050502.tar.gz
tar xvzf asn1-choice-20050502.tar.gz
mv heimdal-20050502/lib/asn1 heimdal-20050502/lib/asn1.old
mv asn1-choice-20050502 heimdal-20050502/lib/asn1
cd heimdal-20050502
autoreconf -f
echo "#define PKINIT 1" >> include/config.h
./configure --prefix=/usr \
--exec-prefix=/usr \
--with-openssl=/usr/bin \
--with-openssl-lib=/usr/lib \
--with-openssl-include=/usr/include/openssl
make
make install
4. Obtain softpkcs package
http://people.su.se/~lha/soft-pkcs11/soft-pkcs11-1.1.tar.gz
5. Build and install softpkcs11
tar xvzf soft-pkcs11-1.1.tar.gz
cd soft-pkcs11-1.1
./configure --prefix=/usr --exec-prefix=/usr
make
make install
6. Setup Certificate Authority, hit <ENTER> when prompted for filename
Enter pass phrase. Fill in Country Name. Use FQDN as Common Name.
cd ~
/usr/share/ssl/misc/CA -newca
CA certificate filename (or enter to create)
<ENTER>
Making CA certificate ...
Generating a 1024 bit RSA private key
.................++++++
........................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: <password>
Verifying - Enter PEM pass phrase: <password>
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:New Hampshire
Locality Name (eg, city) [Newbury]:Derry
Organization Name (eg, company) [My Company Ltd]:Cedar Point
Organizational Unit Name (eg, section) []:
Common Name (your name or server's hostname)
[]:xgige.cedarpointcom.com
Email Address []:
7. Copy CA certificate to common location
mkdir /usr/secure
cd ~
cp demoCA/cacert.pem /usr/secure/cacert.pem
cp demoCA/private/cakey.pem /usr/secure/cakey.pem
7. Make a kdc certificate request
cd ~
/usr/share/ssl/misc/CA -newreq
Generating a 1024 bit RSA private key
.................................++++++
.................................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase: <password>
Verifying - Enter PEM pass phrase: <password>
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:New Hampshire
Locality Name (eg, city) [Newbury]:Derry
Organization Name (eg, company) [My Company Ltd]:Cedar Point
Organizational Unit Name (eg, section) []:
Common Name (your name or server's hostname)
[]:xgige.cedarpointcom.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <password>
An optional company name []: <Enter>
Request (and private key) is in newreq.pem
(QUESTION: Should I be using this instead?)
(openssl req -new -nodes -keyout ???.pem -out newreq.pem)
8. Sign KDC certificate request
cd ~
/usr/share/ssl/misc/CA -sign
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: <password>
-cert details appear-
Certificate is to be certified until May 6 13:17:56 2006 GMT (365
days)
Sign the certificate? [y/n]: <y>
1 out of 1 certificate requests certified, commit? [y/n] <y>
Write out database with 1 new entries
-cert output appears-
Signed certificate is in newcert.pem
9. Copy Certificate request to common location
# mkdir /usr/secure/kdc
# cp newreq.pem /usr/secure/kdc/kdckey.pem
# cp newcert.pem /usr/secure/kdc/kdccert.pem
# cd /usr/secure/kdc
# ln -s ../cacert.pem `openssl x509 -noout -hash -in ../cacert.pem`.0
10. Use same certificate we created for the kdc, but for the clients
(QUESTION: Is this OK for now, or do I need to make new certs?)
# mkdir /usr/secure/client
# cp newreq.pem /usr/secure/client/clientkey.pem
# cp newcert.pem /usr/secure/client/clientcert.pem
# cd /usr/secure/client
# ln -s ../cacert.pem `openssl x509 -noout -hash -in ../cacert.pem`.0
11. Configure the Heimdal config file used by clients and the kdc
(QUESTION: Are there other [kdc] pki fields to fill in below, this may be
dated?)
--------------
/etc/krb5.conf
--------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CEDARPOINTCOM.COM
dns_lookup_realm = false
dns_lookup_kdc = false
pkinit-openssl-engine =
ENGINE=dynamic,PRE=SO_PATH:/usr/lib/engine_pkcs11.so,PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/usr/lib/soft-pkcs11.so
[realms]
CEDARPOINTCOM.COM = {
kdc = xgige.cedarpointcom.com
admin_server = xgige.cedarpointcom.com
default_domain = cedarpointcom.com
}
[domain_realm]
.cedarpointcom.com = CEDARPOINTCOM.COM
cedarpointcom.com = CEDARPOINTCOM.COM
[kdc]
profile = /var/xxkerberos/krb5kdc/kdc.conf
require-preauth = no
enable-pkinit = yes
pki-identity = FILE:/usr/secure/kdc/kdccert.pem,/usr/secure/kdc/kdckey.pem
pki-anchors = OPENSSL-ANCHOR-DIR:/usr/secure/kdc
[appdefaults]
pkinit-anchors = OPENSSL-ANCHOR-DIR:/usr/secure/client
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
12. Edit kdc config file /var/kerberos/krb5kdc/kdc.conf
---------------------------
/var/kerberos/krb5kdc/kdc.conf
---------------------------
[kdcdefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
[realms]
CEDARPOINTCOM.COM = {
master_key_type = des-cbc-crc
supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm
arcfour-hmac:onlyrealm des3-hmac-sha1:normal des-hmac-sha1
:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:afs3
}
12. Configure ACL mapping
(QUESTION: What is this file and what is the format? Is this realms or
fqdn?)
# mkdir /var/heimdal
create file: /var/heimdal/pki-mapping
-----------------
/var/heimdal/pki-mapping
-----------------
esylvain@xgige.cedarpointcom.com:/C=US/O=Cedar Point
esylvain@CEDARPOINTCOM.COM:/C=US/O=Cedar Point
13. Initalize
# /usr/sbin/kadmin -l
kadmin> init CEDARPOINTCOM.COM
Realm max ticket life [unlimited]: <Enter>
Realm max renewable ticket life [unlimited]: <Enter>
kadmin> add xgige.cedarpointcom.com
Max ticket life [unlimited]: <Enter>
Max renewable life [unlimited]: <Enter>
Attributes []: <Enter>
Password: <password>
Verifying password - Password: <password>
14. Add principals
# /usr/sbin/kadmin -l
kadmin> add --random-key host/xgige.cedarpointcom.com
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin> ext host/xgige.cedarpointcom.com
kadmin> add --random-key esylvain
Max ticket life [1 day]: <Enter>
Max renewable life [1 week]: <Enter>
Principal expiration time [never]: <Enter>
Password expiration time [never]: <Enter>
Attributes []: <Enter>
kadmin> ext esylvain
# ktutil list
Version Type Principal
1 des-cbc-md5 host/xgige.cedarpointcom.com@CEDARPOINTCOM.COM
1 des-cbc-md4 host/xgige.cedarpointcom.com@CEDARPOINTCOM.COM
1 des-cbc-crc host/xgige.cedarpointcom.com@CEDARPOINTCOM.COM
0 des-cbc-md5 esylvain@CEDARPOINTCOM.COM
0 des-cbc-md4 esylvain@CEDARPOINTCOM.COM
0 des-cbc-crc esylvain@CEDARPOINTCOM.COM
15. Start kdc
# /usr/libexec/kdc
Enter your private key passphrase: <password>
16. Look at kdc output log
# tail -f /var/log/krb5kdc.log
...
listening on ...
...
17. Run kinit as user (i.e. Not root)
/usr/bin/kinit -C \
FILE:/usr/secure/client/clientcert.pem,/usr/secure/client/clientkey.pem
Enter your private key passphrase: <password>
(QUESTION:Why do I get the following:
kinit: krb5_get_init_creds: No usable pa data type)
Thanks in advance for any help, thoughts or comments...
Eric Sylvain
esylvain@cedarpointcom.com