Kai, I had no issue with MIT kinit client. Only with OS X kinit.
Thanks Jim > On Jun 10, 2015, at 5:43 PM, Zheng, Kai <[email protected]> wrote: > > I’m surprised it was sent here. I thought it should be to [email protected] > <mailto:[email protected]>. > > Anyway be the way, it looks like an inter-operable issue between MIT KDC and > Heimdal kinit, resulting an ASN1 decoding issue. To make sure, does it work > if you use MIT kinit against the KDC? > > Regards, > Kai > <> > From: Jim Shi [mailto:[email protected]] > Sent: Thursday, June 11, 2015 12:38 AM > To: [email protected] > Subject: pkinit with heimdal kinit client > > Hi, I have MIT kdc 1.10.6 running on linux server. > My client is heimdal kinit on OS X. > > on OS X: > > ./kinit -C FILE:client.pem,clientkey.pem --x509-anchors=FILE:cacert.pem > testuser@REALM > > on KDC server, I saw this error: > > Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 > 17 16 23}) 127.0.0.1: NEEDED_PREAUTH: testuser@REALM for krbtgt/REALM@REALM, > Additional pre-authentication required > Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): preauth (pkinit) > verify failure: error:0D08303A:asn1 encoding > routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error > > Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 > 17 16 23}) 127.0.0.1: PREAUTH_FAILED: testuser@REALM for krbtgt/REALM@REALM, > error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 > error > > > I checked the certificates and they looks good to me. > > What else could be wrong? > > Thanks for your help. > > Jim
