Hi there I need help in order to get PKINIT working on Fedora 14. I have a running kerberos server with krb-server, krb-server-ldap and so on (1.8.2). I also have installed krb5-pkinit-openssl.
The stuff works like a charm when running in "standard" kerberos, i.e. w/o pkinit. Then we tried to set up pkinit according to the instructions found at http://k5wiki.kerberos.org. In particular, we checked carefully, our certs. However, the behaviour does not seem correct. We issue a kinit -X x509_user_identity=<DN found in the client cert> <principal> on the client side (another Fedora instance with software certs). With Wireshark, we see that an AS-REQ is sent to the server. However, it does not seem to convey any certificate (pa-data type = 149). Then the server replies with ERR_PREAUTH_REQUIRED (the principal that is used has its preauth option set). Is this normal ? As a result of this, the standard AS_REQ/REP procedure seems to be played (as a password is requested on the client side). The problem is that even when recompiling pkinit with DEBUG set, we cannot see anything.... Any help (very) greatly appreciated. Thanks Pascal -- Pascal Jakobi Sr. Architect, Thales 1 av. A. Fresnel 91767 Palaiseau, France Tel. : +33 1 69 41 60 51 Mob.: + 33 6 87 47 58 19 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
