Copy:
kerberos@mit.edu (
kerberos@mit.edu)
I have been trying to login to my Ubuntu (v 20.04) machine which is
joined to AD server (Windows Server 2k16). And for log-in to the user
account I am having a .CER certificate (certificate without private
key) via Smartcard attached to the Ubuntu Machine. When I try this, it >prompts for PIN but fails even when the correct PIN is provided.
I wanted to ask, if the process how I am implementing is recommended. Or
if I am missing out something for the process mentioned above.
I'm not sure why _I_ was directly emailed, but, fine ...
I am assuming you are attempting PKINIT, because that's the only way you'd
be able to use a smartcard with Active Directory. If you are getting a PIN prompt, then probably the hard part is working (communication with the smartcard via a PKCS#11 module) and you're getting relatively far in
the process, which is good.
There are a number of places where PKINIT could fail, and unfortunately
the actual error message gets hidden internally in the library. If your version of Kerberos is new enough, try turning on debug tracing by
setting the KRB5_TRACE environment variable. E.g.:
env KRB5_TRACE=/dev/stdout kinit [... kinit options ...]
I have a feeling you're going to need to set a few variables in your
krb5.conf to authorize your specific KDC certificates. That's assuming the rest of your PKI is working on your client, which is never a sure thing.
--Ken
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)