[Freeipa-users] kinit: Digest in signed-data not accepted while getting initial credentials - FreeIPA login via PKINIT

[P M via FreeIPA-users]

Hi, I request a new cert signed by my CA on Free IPA server (v. 4.12.2). I've 
used ybico-piv-tool to generate pub key (RSA 2048) and CSR with commands:

# yubico-piv-tool --key=$KEY -a generate -s 9a -A RSA2048 -o pub.pem
# yubico-piv-tool -a verify -a request -s 9a -P $PIN -S testuser -i pub.pem -o 
req.pem
# ipa cert-request --profile-id=caIPAuserCert --principal testuser req.pem
# yubico-piv-tool --key=$KEY -a import-certificate -i cert.pem -s 9a

Successfully generated a certificate request.

# yubico-piv-tool -astatus
----------
Version:        5.2.4
Serial Number:  13650097
CHUID:  
3019d4e739da739ced39ce739d836858210842108421c84210c3eb3410d8c945bb687fce09b0aabace3e5aee54350832303330303130313e00fe00
CCC:    
f015a000000116ff02d5ed3808a889ef7813b255513e49f10121f20121f300f40100f50110f600f700fa00fb00fc00fd00fe00
Slot 9a:        
        Algorithm:      RSA2048
        Subject DN:     O=EXAMPLE.COM, CN=testuser
        Issuer DN:      O=EXAMPLE.COM, CN=Certificate Authority
        Fingerprint:    
b3734e2d6b4f564096b8d23349ce327468212088511808771fc2dcaef955cb6c
        Not Before:     Dec 17 12:30:24 2024 GMT
        Not After:      Dec 18 12:30:24 2026 GMT
PIN tries left: 3
--------

Everything looks good and no issues while generating cert. 

But while try to authenticate via kinit I've got error like below:

# KRB5_TRACE=/dev/stderr kinit -X 
'X509_user_identity=PKCS11:module_name=opensc-pkcs11.so:slotid=0:certid=01' 
testu...@example.com
---------------------
[1806878] 1734439236.12071: Getting initial credentials for testu...@example.com
[1806878] 1734439236.12073: Sending unauthenticated request
[1806878] 1734439236.12074: Sending request (216 bytes) to EXAMPLE.COM
[1806878] 1734439236.12075: Initiating TCP connection to stream 
92.117.239.216:88
[1806878] 1734439236.12076: Sending TCP request to stream 92.117.239.216:88
[1806878] 1734439236.12077: Received answer (572 bytes) from stream 
92.117.239.216:88
[1806878] 1734439236.12078: Terminating TCP connection to stream 
92.117.239.216:88
[1806878] 1734439236.12079: Response was from master KDC
[1806878] 1734439236.12080: Received error from KDC: -1765328359/Additional 
pre-authentication required
[1806878] 1734439236.12083: Preauthenticating using KDC method data
[1806878] 1734439236.12084: Processing preauth types: PA-PK-AS-REQ (16), 
PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), 
PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[1806878] 1734439236.12085: Selected etype info: etype aes256-cts, salt 
"54=HJ*K8W$[yd5%9", params ""
[1806878] 1734439236.12086: Received cookie: 
MIT1\x00\x00\x00\x01I\x12\xb1M+\xf8\x98\\xe3\x83\x9ds\xaa\x9b\xbe\xa6\x14\xb4\xbd\x0c\xcf\x03\xe6Y\xcf\xad\x9bN\xd2\x199\xe5y\xdd\xe5e\xda\xa4\xcf*.\xdfP\x19\xc2\xff\x97\x1a\xd0\x12\xd777\xa5\xab\xff\x17\x9e\xf9\xeb\x84\xf7\xff^\x7f\xaab
 
\x9b\xc2\xf2\xb8\xdf\xd7*x0Pb\xbcw(`\x18\x92mx\x06~\xa2\x97(\x9b\x81\xac\xb4\x924\xee\xb2\xad\xb4\\x0d\xbb\xd96\xb9<\x96\xacN\xed\x85=\xb1\xb2H=I\x9a\xf60^\xd3\xe8\xbc\xd5..X\xa1\x1b\x8c\xc7\x04\x84\xd0\xf5\xc9*y
[1806878] 1734439239.509152: Preauth module pkinit (147) (info) returned: 
0/Success
[1806878] 1734439239.509153: PKINIT client received freshness token from KDC
[1806878] 1734439239.509154: Preauth module pkinit (150) (info) returned: 
0/Success
testuser                    PIN: ****** 
[1806878] 1734439246.189952: PKINIT loading CA certs and CRLs from FILE
[1806878] 1734439246.189953: PKINIT loading CA certs and CRLs from FILE
[1806878] 1734439246.189954: PKINIT client computed kdc-req-body checksum 
9/7D1E16CF5D1D663387C325C75ED56758D8071597
[1806878] 1734439246.189956: PKINIT client making DH request
[1806878] 1734439246.189957: Preauth module pkinit (16) (real) returned: 
0/Success
[1806878] 1734439246.189958: Produced preauth for next request: PA-FX-COOKIE 
(133), PA-PK-AS-REQ (16)
[1806878] 1734439246.189959: Sending request (3288 bytes) to EXAMPLE.COM
[1806878] 1734439246.189960: Initiating TCP connection to stream 
92.117.239.216:88
[1806878] 1734439246.189961: Sending TCP request to stream 92.117.239.216:88
[1806878] 1734439246.189962: Received answer (195 bytes) from stream 
92.117.239.216:88
[1806878] 1734439246.189963: Terminating TCP connection to stream 
92.117.239.216:88
[1806878] 1734439246.189964: Response was from master KDC
[1806878] 1734439246.189965: Received error from KDC: -1765328304/Digest in 
signed-data not accepted
kinit: Digest in signed-data not accepted while getting initial credentials
--------------------------------------

Any suggestions what can be wrong ? On my old IPA server (v. 4.6.8) everything 
works fine.
-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue