Getting PK-INIT to work?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Getting PK-INIT to work?

Fredrik Pettai
Hi,

I read up on "Setting up PK-INIT" from http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html and looking in the heimdal / hx509 info docs. After following the example generating CA, KDC, and User certificates from the webpage above + KDC and client configuration, then I try to authenticate using kinit, I get:

-bash-4.3$ kinit -C FILE:hx/pettai.pem [hidden email]
kinit: krb5_get_init_creds_opt_set_pkinit: PKINIT: No anchor given

Trust Anchor is very briefly described, but not how to configure that, so I assumed that it would be the certificate of the self signed CA (which I configured in /etc/krb5.conf as described in section 4.22).

Any hints to why I get this message from kinit?

Re,
/P
Reply | Threaded
Open this post in threaded view
|

Re: Getting PK-INIT to work?

Love Hörnquist Åstrand

> I read up on "Setting up PK-INIT" from http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html and looking in the heimdal / hx509 info docs. After following the example generating CA, KDC, and User certificates from the webpage above + KDC and client configuration, then I try to authenticate using kinit, I get:
>
> -bash-4.3$ kinit -C FILE:hx/pettai.pem [hidden email]
> kinit: krb5_get_init_creds_opt_set_pkinit: PKINIT: No anchor given
>
> Trust Anchor is very briefly described, but not how to configure that, so I assumed that it would be the certificate of the self signed CA (which I configured in /etc/krb5.conf as described in section 4.22).
>
> Any hints to why I get this message from kinit?

because you didn’t pass init the anchor explicitly to kinit or you got the configuration option wrong in the file.

Just to confuse you, the option in the app default section by default, see

        tests/kdc/krb5-pkinit.conf.in


Love


Reply | Threaded
Open this post in threaded view
|

Re: Getting PK-INIT to work?

Fredrik Pettai
On Dec 2, 2014, at 14:50 , Love Hörnquist Åstrand <[hidden email]> wrote:

>> I read up on "Setting up PK-INIT" from http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html and looking in the heimdal / hx509 info docs. After following the example generating CA, KDC, and User certificates from the webpage above + KDC and client configuration, then I try to authenticate using kinit, I get:
>>
>> -bash-4.3$ kinit -C FILE:hx/pettai.pem [hidden email]
>> kinit: krb5_get_init_creds_opt_set_pkinit: PKINIT: No anchor given
>>
>> Trust Anchor is very briefly described, but not how to configure that, so I assumed that it would be the certificate of the self signed CA (which I configured in /etc/krb5.conf as described in section 4.22).
>>
>> Any hints to why I get this message from kinit?
>
> because you didn’t pass init the anchor explicitly to kinit or you got the configuration option wrong in the file.
>
> Just to confuse you, the option in the app default section by default, see
>
> tests/kdc/krb5-pkinit.conf.in

Yes, a slight config error (dash instead of underscore).

I should have tried using verify_krb5_conf…

Thx,
/P