• Fwd: FW: kinit failing when AD user joining using smaercard PIN on ubun

    From Vikram Yadav@21:1/5 to All on Wed Mar 3 16:20:27 2021
    Copy: kerberos@mit.edu

    Hello Ken,

    Thanks for your kind response!

    I rectified the pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com
    tested again but it throws error regarding "no acceptable EKU in KDC

    I read the link you sent in the below mail, it says setting
    pkinit_eku_checking is not necessary.

    What should we do now?


    -----Original Message-----
    From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
    Sent: Tuesday, March 2, 2021 7:59 PM
    To: Pal, Vikram
    Cc: kerberos@mit.edu; Agrawal, Rajeev; Shastry, Shashiraja;
    Rajagopalan, SrinivasaRagavan; Venkatesh, Ramanujam
    Subject: Re: kinit failing when AD user joining using smaercard PIN on
    ubuntu 20.04


    PFA the Kerberos logs got while running kinit command. Could you
    please help us understand as to where we ae going here & what should we
    do to make it work?

    Well, you COULD have included them as text rather than a picture :-)
    But, fine. I see you get a PIN prompt, but I'm not clear if you
    actually had the chance to enter in a PIN or not. Also, I see this:

    PKINIT no anchor CA in file /etc/ssl/ca-pem/root//blrdhcdev.cer

    And that file extension makes me think the certificate there is in DER
    format, not PEM. But I think your REAL problem is down below:

    PKINIT client config accepts KDC dNSName SAN BLRDHCDEV.COM PKINIT
    client found dNSName SAN in KDC cert: blrdhcdev-ad.blrdhcdev.com
    PKINIT client found no acceptable SAN in KDC cert

    You can read about the PKINIT client configuration here:


    The key section is down where it says "Configuring the clients".
    It looks like you have

    pkinit_kdc_hostname = BLRDHCDEV.COM

    But it really should be

    pkinit_kdc_hostname = blrdhcdev-ad.blrdhcdev.com

    (and you need one of those for each of your AD server hostnames).

    This is the configuration that tells the client that it can trust the
    KDC certificate. If you don't have the KDC certificate with the
    special extensions that say, "This certificate is valid for your
    realm", then your client needs to be configured to say, "This set of certificates is valid for a KDC certificate". And you need to
    explicitly list every dNSName in your client. That's what
    pkinit_kdc_hostname does.


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)