Re: Configuration of pkinit with heimdal 0.8 rc2

[Love Hörnquist Åstrand <lha@kth.se>]

yes, to make the options common with mit kerberos we changed
them to use prefix pkinit and use _.

They look like this now.

Sorry, i should have mention this in the mail.

Love


[appdefaults]
	pkinit_anchors = FILE:/path/to/trust-anchors.pem

[realms]
         EXAMPLE.COM = {
		pkinit_require_eku = true
		pkinit_require_krbtgt_otherName = true
		pkinit_win2k = no
		pkinit_win2k_require_binding = yes
	}


Configure the KDC

[kdc]
	enable-pkinit = yes
	pkinit_identity = FILE:/secure/kdc.crt,/secure/kdc.key
	pkinit_anchors = FILE:/path/to/trust-anchors.pem
	pkinit_pool = PKCS12:/path/to/useful-intermediate-certs.pfx
	pkinit_pool = FILE:/path/to/other-useful-intermediate-certs.pem
	pkinit_allow_proxy_certificate = false




6 dec 2006 kl. 16.31 skrev Alberto Fondi:

> Hi group,
>
>    i tried pkinit and it is wonderful, but when i passed from  
> version 0.8 rc1 to version 0.8 rc2, when i start kdc process it  
> terminates immediately and i find in the log the message:
>
> 2006-12-06T16:16:07 pkinit enabled but no identity
>
> and if i give the command verify_krb5_conf i get:
>
> verify_krb5_conf: /kdc/pki-identity: unknown entry
> verify_krb5_conf: /kdc/pki-anchors: unknown entry
> verify_krb5_conf: /appdefaults/pkinit-anchors: unknown or wrong type
>
> it seems like the command in the krb5.conf file for pkinit are non  
> longer supported ?
>
> Must i return to version 0.8 rc1 ?
>
>
> Thank you!
>