On 09/03/2018 07:06 AM, Santosh Kumar wrote:
> Could you please help with information how can i enable and use pkinit.
From your description, my best guess is that you need to install the
OpenSSL development files so that PKINIT can be built. You didn't
mention what platform you are on; for Debian or Ubuntu this means
installing the libssl-dev package. You can check config.log (in the
directory where you ran configure) to see if PKINIT is enabled:
configure:12841: checking for a recent enough OpenSSL
[a couple of lines of building a test program]
configure:12862: result: yes
[...]
PKINIT='yes'
If PKINIT is being built but still isn't working, check the KDC logs (if
you control the KDC) for a message like "preauth pkinit failed to
initialize". On the client side, use "KRB5_TRACE=/dev/stdout kinit ..."
to look for messages about PKINIT failing on the client side.
If either the KDC or the client cannot use PKINIT, kinit will prompt for
a password if the KDC also offers encrypted timestamp. If you control
the KDC and it is running MIT krb5 1.12 or later, you can disable
encrypted timestamp by removing the principal's long-term keys. See
http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html for
instructions on this as well as more information about setting up PKINIT.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
