On 5/29/2013 1:08 AM, sasikumar bodathula wrote: > Forgot to mention following in previous e-mail. > > some more info Tried kinit with X509_user_pool(Does this exists since kinit > did not complain) and X509_user_identity options with DIR (Is this supported > or for each user specific file need to be mentioned in the kinit command with > FILE:options) > > Best Regards, > > B.Sasikumar. > > > From: "sasikumar bodathula"<[email protected]> > Sent: Wed, 29 May 2013 11:24:04 > To: "[email protected]"<[email protected]> > Subject: pkinit for multiple user support > Hi, > I am trying to test multiple user with certificated(pkinit) > > Following are the steps were followed > > 1. In KDC created 2 users testuser and testuser2 and enabled > +requires_preauth with modprinc > > 2. Created CA certificate and KDC certifcate > > krb5.conf in KDC contains > pkinit_identity = FILE:/etc/krb5kdc/kdc.pem,/etc/krb5kdc/kdckey.pem > pkinit_anchors = FILE:/etc/krb5kdc/cacert.pem > > 3. Created certificate for testuser with CA created in step2 > > 4. Created certificate for testuser2 with CA created in step2 > > krb5.conf in Client machine > pkinit_pool = DIR:/etc/certificates/usercerts/ > pkinit_anchors = DIR:/etc/certificates/usercerts/ > > Kinit command for testuser > > kinit -V -X > X509_user_pool=DIR:/etc/certificates/usercerts/ -X > X509_anchors=DIR:/etc/certificates/usercerts/ -X > flag_RSA_PROTOCOL=yes testuser
Did you forget the -X X509_user_identity=... pointing at the user's cert and key? > Kinit command for testuser2 > > kinit -V -X > X509_user_pool=DIR:/etc/certificates/usercerts/ -X > X509_anchors=DIR:/etc/certificates/usercerts/ -X > flag_RSA_PROTOCOL=yes testuser2 > > In both the cases kinit prompts for password > > NOTE:- > 1. If certificated specified instead of directory it works fine does not > prompt for password. > 2. Both testuser and testuser2 certificated along with CA are placed in same > location "/etc/certificates/usercerts/" The key is most important. Only a user should have access to their key. > > Please guide me if I am missing something important in this procedure. > > Best Regards, > > B.Sasikumar. > > Get your own FREE website and domain with business email solutions, click here > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
