Copy: kerberos@mit.edu (kerberos@mit.edu)

We are login to Ubuntu 20.04 device using smartcard PIN. We are able to
login as AD user successfully. We are using Windows 2019 AD Server.

So, I don't know what this means. I suspect that Kerberos isn't working correctly here and you'll falling back to something else.

We tried kinit manually but it's throwing error. It asks for PIN but >immediately asks for password without waiting for pin to be entered.

So ... there are a LOT of ways for PKINIT to go wrong (that's the protocol
you use when using a smartcard), especially when a PKCS#11 module is
involved, and some of the failure modes end up causing weird things
to happen (and many of them cause fallbacks to a password prompt). But
I'm not sure why you're running "sudo kinit [...]"; shouldn't you just
run kinit without sudo? I am wondering if sudo is causing the PIN
prompt and kinit is giving your the password prompt.

My suggestion is to run kinit again with the environment variable
KRB5_TRACE set to point to a debug file. E.g:

env KRB5_TRACE=/tmp/kinit.log kinit [extra kinit options here]

That might point you to what is going wrong.

--Ken

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: shashiraja.shastry@dell.com (Shastry, Shashiraja)
Copy: srinivasa.ragavan@dell.com (Rajagopalan, SrinivasaRagavan)
Copy: rajeev.a@dell.com (Agrawal, Rajeev)
Copy: ramanujam.venkatesh@dell.com (Venkatesh, Ramanujam)
Copy: kerberos@mit.edu (kerberos@mit.edu)

PFA the Kerberos logs got while running kinit command. Could you please
help us understand as to where we ae going here & what should we do to
make it work?

Well, you COULD have included them as text rather than a picture :-)
But, fine. I see you get a PIN prompt, but I'm not clear if you actually
had the chance to enter in a PIN or not. Also, I see this:

PKINIT no anchor CA in file /etc/ssl/ca-pem/root//blrdhcdev.cer

And that file extension makes me think the certificate there is in DER
format, not PEM. But I think your REAL problem is down below:

PKINIT client config accepts KDC dNSName SAN BLRDHCDEV.COM
PKINIT client found dNSName SAN in KDC cert: blrdhcdev-ad.blrdhcdev.com
PKINIT client found no acceptable SAN in KDC cert

You can read about the PKINIT client configuration here:

https://web.mit.edu/kerberos/krb5-1.17/doc/admin/pkinit.html

The key section is down where it says "Configuring the clients".
It looks like you have

pkinit_kdc_hostname = BLRDHCDEV.COM

But it really should be

pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com

(and you need one of those for each of your AD server hostnames).

This is the configuration that tells the client that it can trust the
KDC certificate. If you don't have the KDC certificate with the special extensions that say, "This certificate is valid for your realm",
then your client needs to be configured to say, "This set of certificates
is valid for a KDC certificate". And you need to explicitly list every
dNSName in your client. That's what pkinit_kdc_hostname does.

--Ken

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: kerberos@mit.edu (kerberos@mit.edu)

Hello Ken,

I tried again according to your suggestion but I'm not getting any logging info in =/tmp/kinit.log

Am I missing something here?

Regards,
Vikram

-----Original Message-----
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Sent: Tuesday, March 2, 2021 1:10 AM
To: Pal, Vikram
Cc: kerberos@mit.edu
Subject: Re: kinit failing when AD user joining using smaercard PIN on ubuntu 20.04


[EXTERNAL EMAIL]

We are login to Ubuntu 20.04 device using smartcard PIN. We are able to
login as AD user successfully. We are using Windows 2019 AD Server.

So, I don't know what this means. I suspect that Kerberos isn't working correctly here and you'll falling back to something else.

We tried kinit manually but it's throwing error. It asks for PIN but >immediately asks for password without waiting for pin to be entered.

So ... there are a LOT of ways for PKINIT to go wrong (that's the protocol you use when using a smartcard), especially when a PKCS#11 module is involved, and some of the failure modes end up causing weird things to happen (and many of them cause
fallbacks to a password prompt). But I'm not sure why you're running "sudo kinit [...]"; shouldn't you just run kinit without sudo? I am wondering if sudo is causing the PIN prompt and kinit is giving your the password prompt.

My suggestion is to run kinit again with the environment variable KRB5_TRACE set to point to a debug file. E.g:

env KRB5_TRACE=/tmp/kinit.log kinit [extra kinit options here]

That might point you to what is going wrong.

--Ken

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: kerberos@mit.edu (kerberos@mit.edu)

Hello Ken,

I tried again according to your suggestion but I'm not getting any
logging info in =/tmp/kinit.log

The file should be /tmp/kinit.log. And if that isn't appearing ... well, something more fundamental is going wrong. I'm assuming you're not doing something weird with sudo of course, because that usually clears out the environment (I don't believe you explained why you were doing that).

--Ken

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: shashiraja.shastry@dell.com (Shastry, Shashiraja)
Copy: rajeev.a@dell.com (Agrawal, Rajeev)
Copy: kerberos@mit.edu (kerberos@mit.edu)

-----Original Message-----
From: Pal, Vikram
Sent: Tuesday, March 2, 2021 2:06 PM
To: Ken Hornstein
Cc: kerberos@mit.edu
Subject: RE: kinit failing when AD user joining using smaercard PIN on ubuntu 20.04

Hello Ken,

I tried again according to your suggestion but I'm not getting any logging info in =/tmp/kinit.log

Am I missing something here?

Regards,
Vikram

-----Original Message-----
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Sent: Tuesday, March 2, 2021 1:10 AM
To: Pal, Vikram
Cc: kerberos@mit.edu
Subject: Re: kinit failing when AD user joining using smaercard PIN on ubuntu 20.04


[EXTERNAL EMAIL]

We are login to Ubuntu 20.04 device using smartcard PIN. We are able to
login as AD user successfully. We are using Windows 2019 AD Server.

So, I don't know what this means. I suspect that Kerberos isn't working correctly here and you'll falling back to something else.

We tried kinit manually but it's throwing error. It asks for PIN but >immediately asks for password without waiting for pin to be entered.

So ... there are a LOT of ways for PKINIT to go wrong (that's the protocol you use when using a smartcard), especially when a PKCS#11 module is involved, and some of the failure modes end up causing weird things to happen (and many of them cause
fallbacks to a password prompt). But I'm not sure why you're running "sudo kinit [...]"; shouldn't you just run kinit without sudo? I am wondering if sudo is causing the PIN prompt and kinit is giving your the password prompt.

My suggestion is to run kinit again with the environment variable KRB5_TRACE set to point to a debug file. E.g:

env KRB5_TRACE=/tmp/kinit.log kinit [extra kinit options here]

That might point you to what is going wrong.

--Ken

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)