I will rerun the texts right now.
Many thanks for the clarification.
In the meantime, pls find attached the certificates listing for the CA, the
KDC, and the end user.
P
On 31/03/2011 16:44, Kevin Coffman wrote:
On Thu, Mar 31, 2011 at 7:28 AM, JAKOBI Pascal
<[email protected]><mailto:[email protected]> wrote:
> Hi there
>
> I need help in order to get PKINIT working on Fedora 14.
> I have a running kerberos server with krb-server, krb-server-ldap and so
> on (1.8.2).
> I also have installed krb5-pkinit-openssl.
>
> The stuff works like a charm when running in "standard" kerberos, i.e.
> w/o pkinit.
>
> Then we tried to set up pkinit according to the instructions found at
> http://k5wiki.kerberos.org. In particular, we checked carefully, our certs.
Perhaps you could list your certificate information here for both the
user and KDC certificates (the output of "openssl x509 -noout -text
-in YOUR.CRT").
> However, the behaviour does not seem correct.
>
> We issue a kinit -X x509_user_identity=<DN found in the client cert>
> <principal> on the client side (another Fedora instance with software
> certs).
> With Wireshark, we see that an AS-REQ is sent to the server. However, it
> does not seem to convey any certificate (pa-data type = 149).
>
> Then the server replies with ERR_PREAUTH_REQUIRED (the principal that is
> used has its preauth option set). Is this normal ?
This is normal. If the KDC's pkinit preauth plugin is properly
configured (valid certificate and kdc.conf configuration options), one
of the preauth options it should return is PKINIT. (14,15,16, or 17)
The client should then send the PKINIT preauth information in its
subsequent request. If it is accepted by the KDC, there shouldn't be
a pasword prompt.
> As a result of this, the standard AS_REQ/REP procedure seems to be
> played (as a password is requested on the client side).
>
> The problem is that even when recompiling pkinit with DEBUG set, we
> cannot see anything....
Are you running your KDC in the foreground? Debug output will go to
stderr or stdout. Verify that the PKINIT preauth plugin is
successfully loaded and properly initialized.
> Any help (very) greatly appreciated.
>
> Thanks
> Pascal
>
> --
> Pascal Jakobi
> Sr. Architect, Thales
> 1 av. A. Fresnel
> 91767 Palaiseau, France
> Tel. : +33 1 69 41 60 51
> Mob.: + 33 6 87 47 58 19
>
> ________________________________________________
> Kerberos mailing list [email protected]<mailto:[email protected]>
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
.
--
Pascal Jakobi
Sr. Architect, Thales
1 av. A. Fresnel
91767 Palaiseau, France
Tel. : +33 1 69 41 60 51
Mob.: + 33 6 87 47 58 19
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c1:17:44:81:34:99:1b:96
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, L=Paris, O=BioNet,
CN=serveur.bionet.fr/[email protected]
Validity
Not Before: Mar 30 12:53:43 2011 GMT
Not After : Apr 29 12:53:43 2011 GMT
Subject: C=FR, L=Paris, O=BioNet,
CN=pascal/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:4a:1b:43:c3:c2:92:2c:67:37:ed:de:b5:68:
bd:0f:d2:a1:94:53:e5:c5:57:23:b6:59:51:35:fb:
b2:12:71:ee:65:fd:3b:68:31:48:83:d6:a8:a4:f7:
a5:84:4e:6e:b4:0c:54:1d:e2:2d:2b:1e:6b:6b:6f:
90:39:29:c5:5a:32:84:ef:1f:c3:20:47:4a:f4:d7:
ec:c4:ef:b7:b9:cb:15:d7:52:43:3f:e9:25:fb:05:
b5:66:0e:ab:7f:ed:c0:d3:4a:63:4f:5d:31:f4:1f:
19:9f:19:b1:b0:97:5b:b7:f9:75:c7:3f:96:6d:5f:
67:34:9c:2c:1f:1a:e8:78:2b:b2:ff:90:79:c3:e1:
97:21:29:9d:05:c1:ba:37:d6:55:41:9e:8b:71:23:
42:3e:45:97:88:63:47:91:b3:d8:39:6a:ea:6b:11:
09:b1:85:49:dc:5b:91:29:18:96:8c:7c:3d:af:f5:
ea:0a:90:87:c8:31:14:08:2e:cc:bc:0d:91:45:c7:
96:1f:8c:c1:38:a0:ee:cf:59:47:d8:cf:6f:08:b5:
a6:9f:67:50:49:c0:78:44:21:3f:23:a1:24:bc:fd:
a4:fd:d9:5f:f2:e9:bc:77:5f:0a:21:9e:a3:f0:26:
aa:3f:78:70:e4:b9:0f:3a:84:98:04:4e:96:1c:3b:
44:53
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
1.3.6.1.5.2.3.4
X509v3 Subject Key Identifier:
32:6A:54:11:A3:7D:1D:DB:3B:FC:B7:7E:03:7F:79:4F:8B:4F:22:D9
X509v3 Authority Key Identifier:
keyid:83:F2:B7:7C:DD:18:AF:07:82:87:6D:3B:89:9B:24:56:7A:70:1D:0A
X509v3 Subject Alternative Name:
othername:<unsupported>
X509v3 Issuer Alternative Name:
<EMPTY>
Signature Algorithm: sha1WithRSAEncryption
1c:c1:17:a1:3e:c4:a1:40:25:98:ca:99:7e:21:8c:60:c4:c6:
bd:55:4d:6d:35:e4:5c:e9:03:d4:f2:43:f2:fc:6c:b2:10:37:
b9:54:a0:ea:2e:7f:e9:67:f7:b3:82:66:b6:12:15:fc:53:bc:
84:60:df:89:07:c0:a4:af:c9:33:38:da:8b:ed:90:57:d0:54:
6c:27:1b:81:e8:f7:ff:9c:db:ab:04:5c:2f:e1:b8:8f:dc:66:
5b:99:2d:9f:08:56:36:12:9f:28:e4:5d:1d:18:c4:fe:0e:ee:
63:a6:cc:7f:78:91:cc:6b:3e:db:f6:e7:30:26:e0:31:fd:63:
28:b8:eb:1c:15:7e:96:bb:88:7e:43:c7:e1:52:0d:3a:73:27:
93:03:10:5e:92:ea:25:7e:2b:a6:a7:83:7e:2a:43:6c:9b:a5:
93:86:05:01:a5:93:a1:69:78:71:5a:57:7d:d9:3b:c8:1a:68:
b2:0b:1f:9a:75:60:35:0d:3a:be:c2:22:f0:27:d9:c5:34:3b:
a3:e4:9f:d7:9a:ec:b8:53:95:37:f6:3e:f2:2a:a2:4e:e5:fd:
dd:22:aa:1b:82:78:89:e5:02:6e:25:77:d1:53:0d:f2:5d:d9:
84:f9:78:42:fc:46:90:e1:c1:1b:2d:69:a8:4e:9e:6b:7e:c6:
32:70:da:e3
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ee:f2:fc:86:fa:1a:cb:c8
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, L=Paris, O=BioNet,
CN=serveur.bionet.fr/[email protected]
Validity
Not Before: Mar 30 12:43:37 2011 GMT
Not After : Apr 29 12:43:37 2011 GMT
Subject: C=FR, L=Paris, O=BioNet,
CN=serveur.bionet.fr/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c3:e1:7e:d4:55:ea:75:6a:50:1f:a3:e4:ef:f1:
ff:e2:ff:9d:1e:1d:20:ad:f0:3d:68:cc:cd:37:24:
f3:0b:1a:9d:76:ac:2c:81:7b:8a:67:9e:d3:bf:ef:
46:40:88:e0:f2:82:09:8b:b4:01:d0:34:c0:f5:97:
73:13:b1:86:21:a1:ca:5c:55:e4:ec:09:3e:62:17:
07:64:5f:a9:ed:4b:af:dd:49:93:9e:78:0c:ff:8f:
37:e9:5d:b3:ab:62:8d:3c:64:67:a6:6d:f0:89:61:
55:6c:69:af:08:20:4f:38:5b:16:37:56:87:f1:fa:
e4:7a:a9:83:5b:b5:66:60:60:1c:cb:68:fd:1a:3a:
84:6a:6d:80:43:2e:b1:ac:e7:b4:f6:eb:77:6a:03:
a2:6e:08:79:eb:b5:9b:00:8e:90:95:fa:49:4b:82:
ff:9f:84:1b:0a:4f:f5:97:f9:cb:e2:9c:63:33:76:
55:aa:bd:47:71:d1:61:b4:8d:1a:2b:48:51:f4:93:
a8:ba:2e:b7:43:f4:02:d6:8e:0e:f3:13:70:ce:ed:
47:c3:30:af:c3:8a:3c:21:7c:98:b1:3b:a1:2d:09:
35:96:7e:24:89:e6:4e:6f:7c:6b:d7:01:46:e1:e6:
ae:e9:e7:d5:1c:47:16:ac:a4:0a:3f:46:af:0c:63:
56:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
83:F2:B7:7C:DD:18:AF:07:82:87:6D:3B:89:9B:24:56:7A:70:1D:0A
X509v3 Authority Key Identifier:
keyid:83:F2:B7:7C:DD:18:AF:07:82:87:6D:3B:89:9B:24:56:7A:70:1D:0A
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
a2:52:db:31:a1:0a:9f:ef:9e:ef:b1:76:06:45:36:c0:3a:67:
d6:b6:45:62:9b:1f:30:a3:49:4e:61:d8:e0:8c:e0:a1:87:3d:
e5:79:37:1d:23:6c:6b:d9:ce:65:74:82:f8:dc:d3:d4:d5:90:
82:71:f0:46:26:55:54:e6:14:74:bf:22:24:8e:55:7d:5b:f7:
7e:36:1b:c6:f7:9d:59:45:dc:18:95:18:a1:7b:93:23:94:c7:
2b:92:c3:80:0d:3b:6b:c0:49:3f:91:1d:9e:c0:60:6b:8a:78:
6e:f9:7c:e8:2f:57:80:db:3d:6a:6f:33:c8:2d:22:f7:30:26:
92:b7:b3:dc:40:03:00:15:b2:3b:98:f9:71:50:e4:cb:c9:0a:
1c:ff:c1:a6:30:d2:a6:23:e3:47:2b:9a:04:59:db:8a:e0:2e:
58:d4:5d:d1:a1:b7:49:4e:95:c8:fc:a8:cc:05:89:dc:b8:ce:
bc:85:35:7e:0a:9a:31:5f:3e:af:42:78:ff:0c:4a:09:90:ea:
ff:ec:31:76:84:1c:3a:b0:45:73:ba:c4:6a:d6:06:3f:f7:1f:
69:b7:af:32:3d:cf:98:21:4b:57:bf:d6:a7:84:28:f8:29:28:
91:6c:80:26:c9:eb:c4:72:1a:03:88:6b:c2:23:7d:d9:14:46:
73:fd:46:1f
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c1:17:44:81:34:99:1b:95
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, L=Paris, O=BioNet,
CN=serveur.bionet.fr/[email protected]
Validity
Not Before: Mar 30 12:51:15 2011 GMT
Not After : Apr 29 12:51:15 2011 GMT
Subject: C=FR, L=Paris, O=BioNet,
CN=kdc.bionet.fr/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cd:16:93:0c:f7:98:55:81:16:c1:16:b1:ee:06:
52:a4:86:c3:5d:ce:3f:5b:01:05:28:82:dc:88:fb:
95:43:6c:88:08:8e:1c:56:82:35:02:39:35:9d:9d:
60:ef:43:40:22:56:54:90:9c:78:97:22:42:71:7b:
92:00:ab:01:0b:5d:35:41:b3:2a:5f:09:44:64:11:
03:3d:ae:26:fe:8f:60:ff:9a:aa:7e:43:1e:54:0d:
e8:17:31:6a:b0:9d:72:d0:77:fd:e8:38:88:47:27:
e0:13:eb:05:44:6f:6f:23:97:29:ab:5f:09:aa:fb:
21:a0:2b:b8:53:07:0a:5e:96:e5:a9:47:7b:3c:ee:
85:ad:de:38:e7:7b:8f:49:c9:97:c0:52:dc:64:f3:
93:c8:e8:f1:1f:98:5b:e0:a2:1a:34:11:ab:38:1a:
45:00:7f:34:09:b4:b4:04:a5:46:54:27:6e:61:28:
50:f6:31:04:e7:8a:44:04:a6:b8:87:6a:11:48:aa:
50:7b:e2:da:92:5e:fa:56:ec:6f:6f:64:48:6f:dc:
1e:fd:4f:3a:80:3e:24:fd:df:31:6f:59:84:75:36:
9a:fc:92:ef:71:aa:21:2e:8b:89:c6:08:f8:79:63:
a2:b0:3e:be:25:6b:97:39:fc:46:22:d0:7f:eb:2f:
25:07
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Key
Agreement
X509v3 Extended Key Usage:
1.3.6.1.5.2.3.5
X509v3 Subject Key Identifier:
4A:03:3A:6F:87:52:9D:1F:1B:5D:CB:DD:97:0C:DD:31:56:6E:EA:BC
X509v3 Authority Key Identifier:
keyid:83:F2:B7:7C:DD:18:AF:07:82:87:6D:3B:89:9B:24:56:7A:70:1D:0A
X509v3 Issuer Alternative Name:
<EMPTY>
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: sha1WithRSAEncryption
02:b3:84:93:47:e0:f9:02:7a:3b:c3:68:01:c0:db:18:a5:5c:
43:90:eb:4c:6c:7d:db:0b:d3:b9:f4:43:e2:11:5f:8d:eb:f3:
73:ab:fa:40:e4:38:9e:ae:bd:25:fe:8f:01:e8:d6:84:95:e5:
ba:64:54:48:01:d2:6b:86:07:dc:15:03:25:ee:9c:7c:90:93:
c6:01:46:41:59:5c:35:37:b6:26:4c:ab:ec:ca:01:94:0a:75:
53:86:5a:9f:42:1a:e1:0b:90:c7:fb:ca:be:de:7d:3c:80:8f:
fb:f4:cd:81:46:d2:4a:c1:a8:0d:6b:65:ee:e3:8e:f3:f5:3d:
43:f8:8b:0c:5c:eb:6f:27:09:5d:cb:cf:56:54:f9:7d:8c:65:
15:f5:c2:61:e4:c8:35:cc:2b:28:68:5e:45:76:8f:71:9d:31:
b2:1f:f8:dd:cc:a2:fc:a8:87:ce:01:d7:ff:c9:2d:79:b1:2b:
6a:41:2b:eb:4f:5d:fc:a0:47:f3:7a:68:e6:3a:9d:8c:77:b5:
b2:b1:02:da:28:d5:78:bb:54:22:1f:ee:5c:81:a4:0c:4e:a6:
51:fa:a9:94:78:03:01:b0:f9:ee:ff:84:fc:97:82:9a:91:be:
67:3d:2d:64:18:28:97:15:c4:60:a5:de:09:84:46:07:42:19:
9d:b1:25:4e
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
