On 01/05/2015 03:24 AM, Siddharth Mathur wrote: > Despite deploying the right kind of client certificates on my mobile > devices (iOS) and using the right type of certificate on the KDC, I am > not sure if they are talking certificates at all. How do I debug if > the certificate matching rules are actually being evaluated on the > server on the server, assuming the client is using its cert in the > first place?
With a desktop client it's easy to see what's going on using KRB5_TRACE on the client, but with a mobile app that's not so easy. wireshark or another network-tracing tool can help, although interpreting the output can be tricky. > The krb5kdc.log file has no PKINIT events at all when a client request > comes in. This is despite rebuilding the plugin with DEBUG macro on in > the header file. Any pointers? PKINIT DEBUG output just goes to stdout, so you need to run krb5kdc -n and look at the terminal output to see it. > Since all my users will be _new_ users, I wish to have no passwords at > all while creating new user (device) principals, relying only on PKI. > The PKINIT documentation > (http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html) > suggests using -nokey argument for add_principal , but I still get > errors issuing a new token. > > add_principal +requires_preauth -nokey 197...@domain.mobi > > AS_REQ (4 etypes {18 17 16 23}) 182.74.74.193: NEEDED_PREAUTH: > 197...@domain.mobi for krbtgt/domain.m...@domain.mobi, Additional > pre-authentication required A NEEDED_PREAUTH error is a normal part of a preauthentication scenario, so I'll need more information to be able to help with this. It might help to try deploying to a regular Unix client, to help distinguish between client-side issues with the iOS Kerberos implementation (which I'm not very familiar with) and server-side issues. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
