Re: [Pki-users] X.509 preauth

Hi there I am trying to run pkinit/X.509 with the standard MIT rpms delivered on CentOS/Fedora/RHEL. I have created the certificates with OpenSSL, everything looks fine - I have a client cert such as/C=FR/L=Gennevilliers/O=Thales/CN=Toto, and the corresponding KDC cert and CA cert have been checked. I also modified the principal with kadmin : "modprinc +requires_preauth toto". I run kinit for the "toto" principal with KRB5_TRACE set. I can see that the KDC sends the following to the client : [6832] 1446241709.215007: Processing preauth types: 136, 19, 2, 133 PA-PK-AS-REQ (16), which I understand is for X.509 certificate preauthentication, is not in the list. I guess something is therefore wrong on my KDC configuration, but I cannot see what. Can someone enlight me ? Thanks in advance -- Pascal Jakobi <mailto:pascal.jakobi@gmail.com> 116 rue de Stalingrad, 93100 Montreuil France Tel : +33 6 87 47 58 19

[logging] default = FILE:/var/log/kerberos/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log kdc = SYSLOG:DEBUG:LOCAL1 admin_server = FILE:/var/log/kerberos/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = THALES.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] THALES.COM = { kdc = kdc.jakobi.fr admin_server = kdc.jakobi.fr pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem pkinit_identities = FILE:/var/kerberos/krb5kdc/kdccert.pem, /var/kerberos/krb5kdc/kdckey.pem } [domain_realm] .jakobi.fr = THALES.COM jakobi.fr = THALES.COM

_______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users