I'm having issues when trying to use set_string with pkinit_cert_match. PKINIT does work when the SAN matches the user's principal explicitly. It does not work when I try to map it to a user where the principal does not match the SAN.
I'm using MIT kerberos 1.16 on both clients and servers. The KDC replies with 'Received error from KDC: -1765328309/Client name mismatch' no matter what I try to match on. I've tried several variations (with/without whitespace, commas escaped, with/without quotes, explicit fields, wildcards, etc) set_string differentuser pkinit_cert_match <SAN>.*@PALLISSARD.NET set_string differentuser pkinit_cert_match <SAN>.* set_string differentuser pkinit_cert_match <SAN>u...@pallissard.net set_string differentuser pkinit_cert_match "<SUBJECT>C=US,ST=Full,O=Subject,OU=line,CN=user" set_string differentuser pkinit_cert_match "<SUBJECT>.*CN=user" 'pkinit_eku_checking = none' is set on the KDC. I've tried it in the [kdcdefaults] section as well as the realm specific sub-section of [realms]. Am I missing something here? Thanks in advance. Matt Pallissard ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
