PFA the latest logs. I'm able to enter the PIN then this log is generated. Please let us know what is the next step?
Regards, Vikram On Wed, 3 Mar 2021 at 16:20, Vikram Yadav <vikram...@gmail.com> wrote: > > Hello Ken, > > Thanks for your kind response! > > I rectified the pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com > tested again but it throws error regarding "no acceptable EKU in KDC > cert" > > I read the link you sent in the below mail, it says setting > pkinit_eku_checking is not necessary. > > What should we do now? > > Regards, > Vikram > > -----Original Message----- > From: Ken Hornstein <k...@cmf.nrl.navy.mil> > Sent: Tuesday, March 2, 2021 7:59 PM > To: Pal, Vikram > Cc: kerberos@mit.edu; Agrawal, Rajeev; Shastry, Shashiraja; > Rajagopalan, SrinivasaRagavan; Venkatesh, Ramanujam > Subject: Re: kinit failing when AD user joining using smaercard PIN on > ubuntu 20.04 > > > [EXTERNAL EMAIL] > > >PFA the Kerberos logs got while running kinit command. Could you > >please help us understand as to where we ae going here & what should we > >do to make it work? > > Well, you COULD have included them as text rather than a picture :-) > But, fine. I see you get a PIN prompt, but I'm not clear if you > actually had the chance to enter in a PIN or not. Also, I see this: > > PKINIT no anchor CA in file /etc/ssl/ca-pem/root//blrdhcdev.cer > > And that file extension makes me think the certificate there is in DER > format, not PEM. But I think your REAL problem is down below: > > PKINIT client config accepts KDC dNSName SAN BLRDHCDEV.COM PKINIT > client found dNSName SAN in KDC cert: blrdhcdev-ad.blrdhcdev.com > PKINIT client found no acceptable SAN in KDC cert > > You can read about the PKINIT client configuration here: > > https://web.mit.edu/kerberos/krb5-1.17/doc/admin/pkinit.html > > The key section is down where it says "Configuring the clients". > It looks like you have > > pkinit_kdc_hostname = BLRDHCDEV.COM > > But it really should be > > pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com > > (and you need one of those for each of your AD server hostnames). > > This is the configuration that tells the client that it can trust the > KDC certificate. If you don't have the KDC certificate with the > special extensions that say, "This certificate is valid for your > realm", then your client needs to be configured to say, "This set of > certificates is valid for a KDC certificate". And you need to > explicitly list every dNSName in your client. That's what > pkinit_kdc_hostname does. > > --Ken
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
