On Fri, May 24, 2019 at 07:30:53PM -0000, Khurrum Maqb via FreeIPA-users wrote: > And if I specify the card LABEL: > > > > > # KRB5_TRACE=/dev/stdout kinit -X > X509_user_identity='PKCS11:opensc-pkcs11.so:certlabel=Certificate for PIV > Authentication' username > [22278] 1558726069.978962: Getting initial credentials for username@DOMAIN > [22278] 1558726069.978964: Sending unauthenticated request > [22278] 1558726069.978965: Sending request (172 bytes) to DOMAIN > [22278] 1558726069.978966: Initiating TCP connection to stream > 192.168.162.10:88 > [22278] 1558726069.978967: Sending TCP request to stream 192.168.162.10:88 > [22278] 1558726069.978968: Received answer (298 bytes) from stream > 192.168.162.10:88 > [22278] 1558726069.978969: Terminating TCP connection to stream > 192.168.162.10:88 > [22278] 1558726069.978970: Response was from master KDC > [22278] 1558726069.978971: Received error from KDC: -1765328359/Additional > pre-authentication required > [22278] 1558726069.978974: Preauthenticating using KDC method data > [22278] 1558726069.978975: Processing preauth types: PA-PK-AS-REQ (16), > PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), > PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE > (133) > [22278] 1558726069.978976: Selected etype info: etype aes256-cts, salt > ",NA[[snip]]&?", params "" > [22278] 1558726069.978977: Received cookie: MIT > [22278] 1558726076.4420: Preauth module pkinit (147) (info) returned: > 0/Success > PIV_II PIN: > [22278] 1558726085.757813: PKINIT loading CA certs and CRLs from FILE > [22278] 1558726085.757814: PKINIT loading CA certs and CRLs from FILE > [22278] 1558726085.757815: PKINIT client computed kdc-req-body checksum > 9/09AD53A5919AEB906D > [22278] 1558726085.757817: PKINIT client making DH request > [22278] 1558726086.960954: Preauth module pkinit (16) (real) returned: > 0/Success > [22278] 1558726086.960955: Produced preauth for next request: PA-FX-COOKIE > (133), PA-PK-AS-REQ (16) > [22278] 1558726086.960956: Sending request (6924 bytes) to DOMAIN > [22278] 1558726086.960957: Initiating TCP connection to stream > 192.168.162.10:88 > [22278] 1558726086.960958: Sending TCP request to stream 192.168.162.10:88 > [22278] 1558726087.25096: Received answer (1641 bytes) from stream > 192.168.162.10:88 > [22278] 1558726087.25097: Terminating TCP connection to stream > 192.168.162.10:88 > [22278] 1558726087.25098: Response was from master KDC > [22278] 1558726087.25099: Processing preauth types: PA-PK-AS-REP (17), > PA-ETYPE-INFO2 (19) > [22278] 1558726087.25100: Selected etype info: etype aes256-cts, salt > ",NA#[[snip]]RE&?", params "" > [22278] 1558726087.25101: PKINIT client could not verify DH reply
This sounds like the client cannot verify the KDC certificate, i.e. the CA certificates of the issuer are not available to libkrb5. Typically the IPA KDC certificates are signed by the IPA CA. Can you check in your krb5.conf if in the pkinit_anchors options there is a file listed which contains the IPA CA certificate (or the certificate of the CA which signed the KDC certificates). bye, Sumit > [22278] 1558726087.25102: Preauth module pkinit (17) (real) returned: > -1765328360/Preauthentication failed > [22278] 1558726087.25103: Produced preauth for next request: (empty) > [22278] 1558726087.25104: Getting AS key, salt ",NA[[snip]]E&?", params "" > Password for username@DOMAIN: > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
