Hi Greg Hudson, Thank you much. Resolved
Installed the openssl-dev on my centos. and ran the reconfigure the PKINIT is "yes" in config.log. which was earlier "no" Regards Santosh On Mon, Sep 3, 2018 at 8:10 PM Greg Hudson <ghud...@mit.edu> wrote: > [image: Boxbe] <https://www.boxbe.com/overview> Greg Hudson ( > ghud...@mit.edu) is not on your Guest List > <https://www.boxbe.com/approved-list?tc_serial=42796765645&tc_rand=201652435&utm_source=stf&utm_medium=email&utm_campaign=ANNO_MWTP&utm_content=001&key=GcinhYs4iD2146k0hKn737J3O%2BJKYTbnbMGMK%2BCY%2Flk%3D&token=GrtaD9SIulG%2B3OvDNdl2CuL5RmoQ3zQTiCNsKIvme4jyGhJ3lHtM%2Bt5YgS%2B6P0wn> > | Approve sender > <https://www.boxbe.com/anno?tc_serial=42796765645&tc_rand=201652435&utm_source=stf&utm_medium=email&utm_campaign=ANNO_MWTP&utm_content=001&key=GcinhYs4iD2146k0hKn737J3O%2BJKYTbnbMGMK%2BCY%2Flk%3D&token=GrtaD9SIulG%2B3OvDNdl2CuL5RmoQ3zQTiCNsKIvme4jyGhJ3lHtM%2Bt5YgS%2B6P0wn> > | Approve domain > <https://www.boxbe.com/anno?tc_serial=42796765645&tc_rand=201652435&utm_source=stf&utm_medium=email&utm_campaign=ANNO_MWTP&utm_content=001&dom&key=GcinhYs4iD2146k0hKn737J3O%2BJKYTbnbMGMK%2BCY%2Flk%3D&token=GrtaD9SIulG%2B3OvDNdl2CuL5RmoQ3zQTiCNsKIvme4jyGhJ3lHtM%2Bt5YgS%2B6P0wn> > On 09/03/2018 07:06 AM, Santosh Kumar wrote: > > Could you please help with information how can i enable and use pkinit. > > From your description, my best guess is that you need to install the > OpenSSL development files so that PKINIT can be built. You didn't > mention what platform you are on; for Debian or Ubuntu this means > installing the libssl-dev package. You can check config.log (in the > directory where you ran configure) to see if PKINIT is enabled: > > configure:12841: checking for a recent enough OpenSSL > [a couple of lines of building a test program] > configure:12862: result: yes > [...] > PKINIT='yes' > > If PKINIT is being built but still isn't working, check the KDC logs (if > you control the KDC) for a message like "preauth pkinit failed to > initialize". On the client side, use "KRB5_TRACE=/dev/stdout kinit ..." > to look for messages about PKINIT failing on the client side. > > If either the KDC or the client cannot use PKINIT, kinit will prompt for > a password if the KDC also offers encrypted timestamp. If you control > the KDC and it is running MIT krb5 1.12 or later, you can disable > encrypted timestamp by removing the principal's long-term keys. See > http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html for > instructions on this as well as more information about setting up PKINIT. > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
