On 02/08/2018 08:51 AM, j.witvl...@mindef.nl wrote:> [2676]
1518080701.322720: Sending request (154 bytes) to MOD.NL (master)
> kinit: Can't verify certificate while getting initial credentials
> Am I correct, in assuming that at the side of the KDC the problem lies;
> that the KDC is unable to retrieve the (sub-)CA's for validating my 
> certificate?

I think that is a correct assumption.

The error came from the KDC, not from the client (because it immediately
follows a 'Sending request' trace log).  The message corresponds to the
protocol error code KDC_ERR_CANT_VERIFY_CERTIFICATE.  You didn't say
what implementation is used on the KDC, but RFC 4556 prescribes this
error code for when "the KDC cannot build a certification path to
validate the client's certificate".  In the MIT krb5 KDC implementation,
we respond with that error code when OpenSSL's X509_verify_cert() yields
Kerberos mailing list           Kerberos@mit.edu

Reply via email to