And if I specify the card LABEL:
# KRB5_TRACE=/dev/stdout kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so:certlabel=Certificate for PIV Authentication' username [22278] 1558726069.978962: Getting initial credentials for username@DOMAIN [22278] 1558726069.978964: Sending unauthenticated request [22278] 1558726069.978965: Sending request (172 bytes) to DOMAIN [22278] 1558726069.978966: Initiating TCP connection to stream 192.168.162.10:88 [22278] 1558726069.978967: Sending TCP request to stream 192.168.162.10:88 [22278] 1558726069.978968: Received answer (298 bytes) from stream 192.168.162.10:88 [22278] 1558726069.978969: Terminating TCP connection to stream 192.168.162.10:88 [22278] 1558726069.978970: Response was from master KDC [22278] 1558726069.978971: Received error from KDC: -1765328359/Additional pre-authentication required [22278] 1558726069.978974: Preauthenticating using KDC method data [22278] 1558726069.978975: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133) [22278] 1558726069.978976: Selected etype info: etype aes256-cts, salt ",NA[[snip]]&?", params "" [22278] 1558726069.978977: Received cookie: MIT [22278] 1558726076.4420: Preauth module pkinit (147) (info) returned: 0/Success PIV_II PIN: [22278] 1558726085.757813: PKINIT loading CA certs and CRLs from FILE [22278] 1558726085.757814: PKINIT loading CA certs and CRLs from FILE [22278] 1558726085.757815: PKINIT client computed kdc-req-body checksum 9/09AD53A5919AEB906D [22278] 1558726085.757817: PKINIT client making DH request [22278] 1558726086.960954: Preauth module pkinit (16) (real) returned: 0/Success [22278] 1558726086.960955: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16) [22278] 1558726086.960956: Sending request (6924 bytes) to DOMAIN [22278] 1558726086.960957: Initiating TCP connection to stream 192.168.162.10:88 [22278] 1558726086.960958: Sending TCP request to stream 192.168.162.10:88 [22278] 1558726087.25096: Received answer (1641 bytes) from stream 192.168.162.10:88 [22278] 1558726087.25097: Terminating TCP connection to stream 192.168.162.10:88 [22278] 1558726087.25098: Response was from master KDC [22278] 1558726087.25099: Processing preauth types: PA-PK-AS-REP (17), PA-ETYPE-INFO2 (19) [22278] 1558726087.25100: Selected etype info: etype aes256-cts, salt ",NA#[[snip]]RE&?", params "" [22278] 1558726087.25101: PKINIT client could not verify DH reply [22278] 1558726087.25102: Preauth module pkinit (17) (real) returned: -1765328360/Preauthentication failed [22278] 1558726087.25103: Produced preauth for next request: (empty) [22278] 1558726087.25104: Getting AS key, salt ",NA[[snip]]E&?", params "" Password for username@DOMAIN: _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org