Hello Ken, Thanks for your kind response!
I rectified the pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com tested again but it throws error regarding "no acceptable EKU in KDC cert" I read the link you sent in the below mail, it says setting pkinit_eku_checking is not necessary. What should we do now? Regards, Vikram -----Original Message----- From: Ken Hornstein <[email protected]> Sent: Tuesday, March 2, 2021 7:59 PM To: Pal, Vikram Cc: [email protected]; Agrawal, Rajeev; Shastry, Shashiraja; Rajagopalan, SrinivasaRagavan; Venkatesh, Ramanujam Subject: Re: kinit failing when AD user joining using smaercard PIN on ubuntu 20.04 [EXTERNAL EMAIL] >PFA the Kerberos logs got while running kinit command. Could you >please help us understand as to where we ae going here & what should we >do to make it work? Well, you COULD have included them as text rather than a picture :-) But, fine. I see you get a PIN prompt, but I'm not clear if you actually had the chance to enter in a PIN or not. Also, I see this: PKINIT no anchor CA in file /etc/ssl/ca-pem/root//blrdhcdev.cer And that file extension makes me think the certificate there is in DER format, not PEM. But I think your REAL problem is down below: PKINIT client config accepts KDC dNSName SAN BLRDHCDEV.COM PKINIT client found dNSName SAN in KDC cert: blrdhcdev-ad.blrdhcdev.com PKINIT client found no acceptable SAN in KDC cert You can read about the PKINIT client configuration here: https://web.mit.edu/kerberos/krb5-1.17/doc/admin/pkinit.html The key section is down where it says "Configuring the clients". It looks like you have pkinit_kdc_hostname = BLRDHCDEV.COM But it really should be pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com (and you need one of those for each of your AD server hostnames). This is the configuration that tells the client that it can trust the KDC certificate. If you don't have the KDC certificate with the special extensions that say, "This certificate is valid for your realm", then your client needs to be configured to say, "This set of certificates is valid for a KDC certificate". And you need to explicitly list every dNSName in your client. That's what pkinit_kdc_hostname does. --Ken
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
