Re: PKINIT - kinit - "No usable pa data type", any ideas?

["Eric Sylvain" <esylvain@cedarpointcom.com>]

OK, I see...  The maillist suggested using "win2k_pkinit = false"
in krb5.conf and it seems that I am now getting a propper
KRB5_PADATA_PK_AS_REQ_19

Reference discussion:
http://www.stacken.kth.se/lists/heimdal-discuss/2005-04/msg00084.html

Thank you for your help....

(I'm currently getting a "password incorrect" issue, but it may
  have something to do with the way I setup mt certificates...)

Eric

On Tue, 10 May 2005 12:33:00 -0400, Douglas E. Engert <deengert@anl.gov>  
wrote:

>
>
> Eric Sylvain wrote:
>
>>  I tried the included patch, without luck. :(
>>  I added debug to the kdc and see that the request
>> is coming in with type set to "15", which is
>> KRB5_PADATA_PK_AS_REP_19, or KRB5_PADATA_PK_AS_REQ_WIN,
>> but your patch checks for KRB5_PADATA_PK_AS_REQ_19
>> (previous to patch it checked for KRB5_PADATA_PK_AS_REQ)
>>  Is this a kinit or kdc issue?
>
> The code is trying to support 3 versions of the PKINIT drafts,
> draft 9 that Windows uses, draft 19, and draft 25. Between
> 19 and 25 the PA-PK-AS-REQ changed from 14 to 16.
> and the PA-PK-AS-REP from 15 to 17. (I think if the REQ is 15
> it is a bug, as the PA-PK-AS-REP would have been 15, or 17.)
>
> (I have not tried the KDC, but only the client to Windows AD.)
>
> I thought I saw something on this on the list too.
>
>>  Eric
>>  On Mon, 09 May 2005 10:13:41 -0400, Daniel Kouril  
>> <kouril@ics.muni.cz>  wrote:
>>
>>> On Mon, May 09, 2005 at 08:06:39AM -0400, Eric Sylvain wrote:
>>>
>>>> I have a problem getting "kinit" to work. It exits with
>>>> the following error:
>>>>
>>>>    kinit: krb5_get_init_creds: No usable pa data type
>>>
>>>
>>> Try the patch enclosed,
>>>
>>> Dan
>>
>



-- 
Eric Sylvain