On 06/08/2014 06:35 PM, [email protected] wrote: > pkinit_identity = DIR:/home/%{username}/.krb5.id
I think this is the source of your problems in two ways: 1. pkinit_identity is only for the KDC. pkinit_identities is for clients. This is of course very confusing (the variables should have been named with "kdc" and "client" substrings), and the documentation should do more to highlight the difference. 2. pkinit_identity isn't processed through path token substitution. This is largely a historical accident; PKINIT was introduced in 1.6, while path substitution was introduced along with default_ccache_name in 1.11. The best you can do right now is specify pkinit_identities = ENV:SOMEENVVARNAME, and then make each user's dotfiles set SOMEENVVARNAME to DIR:/path/to/their/home/directory/.krb5.id. I will file three issues about the confusing profile variable names, lack of path substitution, and lack of a path substitution token for the home directory. > KRB5_TRACE=/dev/stdout kinit \ > -X X509_user_identity=DIR:/home/test/.krb5.id my/principal [...] > Jun 7 18:14:46 kdc krb5kdc[6158]: preauth (pkinit) verify failure: > Client name mismatch We need better logging for this situation; I will file a fourth issue about that. I went back over your earlier messages and didn't see a transcript of how you created the client certificate, so I'm not sure what the misstep was. (The instructions in the documentation do work.) ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
