Greetings Kerberos-users,
I've been successfully using OTP and pkinit for the past year or so. Within the last week, or so, it has started to fail with:
client:
$ /usr/bin/kinit -n -c /tmp/.kerberos_cache
kinit: Preauthentication failed while getting initial credentials
KDC:
KDC_RETURN_PADATA:WELLKNOWN/ANONYMOUS@EXAMPLE.COM for krbtgt/ EXAMPLE.COM@EXAMPLE.COM, Failed to verify own certificate (depth 0): unable to get local issuer certificate
KDC:
KDC_RETURN_PADATA:WELLKNOWN/ANONYMOUS@EXAMPLE.COM for krbtgt/
EXAMPLE.COM@EXAMPLE.COM, Failed to verify own certificate (depth 0): unable >> to get local issuer certificate
I've run into this error before. MIT's KDC, for some bizarre reason,
insists that its server cert validate against the same set of CAs used
to authorize client PKINIT certs. This is insecure and a terrible idea,
but oh well. So make sure that the KDC server cert validates against the
set of CAs you've specified in the config file.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 489 |
Nodes: | 16 (3 / 13) |
Uptime: | 31:01:24 |
Calls: | 9,666 |
Calls today: | 1 |
Files: | 13,716 |
Messages: | 6,168,851 |