krbdev Digest, Vol 127, Issue 6

Vivian zhang jianz3 at yahoo.com
Fri Jul 26 13:27:48 EDT 2013 

Thanks!  Corrected the typo, but still fails with the same error.

Vivian
 

________________________________
 From: "krbdev-request at mit.edu" <krbdev-request at mit.edu>
To: krbdev at mit.edu 
Sent: Friday, July 26, 2013 12:13 PM
Subject: krbdev Digest, Vol 127, Issue 6
  

Send krbdev mailing list submissions to
    krbdev at mit.edu

To subscribe or unsubscribe via the World Wide Web, visit
    https://mailman-mit-edu.ezproxyberklee.flo.org/mailman/listinfo/krbdev
or, via email, send a message with subject or body 'help' to
    krbdev-request at mit.edu

You can reach the person managing the list at
    krbdev-owner at mit.edu

When replying, please edit your Subject line so it is more specific
than "Re: Contents of krbdev digest..."


Today's Topics:

   1. Re: configure PKINIT on Linux got No realms configured
      correctly for    pkinit support (Vivian zhang)
   2. Re: configure PKINIT on Linux got No realms configured
      correctly    for pkinit support (Greg Hudson)


----------------------------------------------------------------------

Message: 1
Date: Thu, 25 Jul 2013 09:57:18 -0700 (PDT)
From: Vivian zhang <jianz3 at yahoo.com>
Subject: Re: configure PKINIT on Linux got No realms configured
    correctly for    pkinit support
To: Benjamin Kaduk <kaduk at mit.edu>
Cc: "krbdev at mit.edu" <krbdev at mit.edu>
Message-ID:
    <1374771438.42360.YahooMailNeo at web125705.mail.ne1.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1

Hi Ben,
?
Thanks for replying.? I do have all those three items in my kdc.conf.? Here is my kdc.conf:
?
?
[kdcdefaults]
? kdc_ports = 88
[realms]
? BARBW.REALM = {
??? database_name = /usr/local/var/krb5kdc/principal
??? admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
??? acl_file = /usr/local/var/krb5kdc/kadm5.acl
??? key_stash_file = /usr/local/var/krb5kdc/stash
??? kdc_ports = 88
??? max_life = 10h 0m 0s
??? max_renewable_life = 7d 0h 0m 0s
??? master_key_type = aes256-cts-hmac-sha1-96
???
supported_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc
??? default_principal_flags = +preauth
??? key_stash_file = /usr/local/var/krb5kdc/.k5.BARBW.REALM
??? pkinit_identify = FILE:/var/lib/kerberos/krb5kdc/kdc.pem,/var/lib/kerberos/krb5kdc/kdckey.pem
??? pkinit_anchors = FILE:/var/lib/kerberos/krb5kdc/cacert.pem
??? kdc_tcp_ports = 88
? }
[logging]
? kdc = FILE:/var/log/krb5kdc/kdc.log
? admin_server = FILE:/var/log/krb5kdc/kadmin.log
[plugins]
? kdcpreauth = {
??? module = pkinit:/usr/lib/krb5/plugins/preauth/pkinit.so
? }

Thank you again

Vivian


________________________________
From: Benjamin Kaduk <kaduk at MIT.EDU>
To: Vivian zhang <jianz3 at yahoo.com> 
Cc: "krbdev at mit.edu" <krbdev at MIT.EDU> 
Sent: Tuesday, July 23, 2013 8:14 PM
Subject: Re: configure PKINIT on Linux got No realms configured correctly for    pkinit support
  

On Tue, 23 Jul 2013, Vivian zhang wrote:

> HI,
> ?
> I am trying to get my Linux system to support PKINIT.?
I followed the instruction on MIT website to generate keys and certificate, etc.? I have also installed plugin (Krb5-plugin-preauth-pkinit-1.10.2-3.16.1.i586).?
> ?
> However, it didn't work.? There are so little information online to see what it's wrong.? Can anybody help?? The error I got from KDC log is:
> ?
> (Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support
> (info): setting up network...
> (info): listening on fd 7: udp 0.0.0.0.88 (pktinfo)
> ..........
> ?
> Anybody has encounter this problem or knows what's going wrong??

You have seen 
http://web.mit.edu.ezproxyberklee.flo.org/kerberos/krb5-latest/doc/admin/pkinit.html
?

Does your kdc.conf contain pkinit_identity, pkinit_anchors, and 
kdc_tcp_ports
options?

-Ben Kaduk

------------------------------

Message: 2
Date: Thu, 25 Jul 2013 14:19:28 -0400
From: Greg Hudson <ghudson at MIT.EDU>
Subject: Re: configure PKINIT on Linux got No realms configured
    correctly    for pkinit support
To: Vivian zhang <jianz3 at yahoo.com>
Cc: "krbdev at mit.edu" <krbdev at mit.edu>
Message-ID: <51F16C30.1040307 at mit.edu>
Content-Type: text/plain; charset=ISO-8859-1

On 07/25/2013 12:57 PM, Vivian zhang wrote:
>     pkinit_identify = FILE:/var/lib/kerberos/krb5kdc/kdc.pem,/var/lib/kerberos/krb5kdc/kdckey.pem

This line appears to contain a typo; "identify" should be "identity".




------------------------------

_______________________________________________
krbdev mailing list
krbdev at mit.edu
https://mailman-mit-edu.ezproxyberklee.flo.org/mailman/listinfo/krbdev


End of krbdev Digest, Vol 127, Issue 6
**************************************

More information about the krbdev mailing list