Hi there

I am trying to run pkinit/X.509 with the standard MIT rpms delivered on CentOS/Fedora/RHEL.
I have created the certificates with OpenSSL, everything looks fine - I have a client cert such as/C=FR/L=Gennevilliers/O=Thales/CN=Toto, and the corresponding KDC cert and CA cert have been checked.
I also modified the principal with kadmin : "modprinc +requires_preauth toto".

I run kinit for the "toto" principal with KRB5_TRACE set. I can see that the KDC sends the following to the client :

[6832] 1446241709.215007: Processing preauth types: 136, 19, 2, 133

PA-PK-AS-REQ (16), which I understand is for X.509 certificate preauthentication, is not in the list.

I guess something is therefore wrong on my KDC configuration, but I cannot see what.
Can someone enlight me ?
Thanks in advance

--
Pascal Jakobi
116 rue de Stalingrad, 93100 Montreuil
France
Tel : +33 6 87 47 58 19