When performing ipa-client-install, the following section is added in /etc/krb5.conf:
[realms] DOM-IPA.COM = { pkinit_anchors = FILE: /etc/ipa/ca.crt }
Note that the param pkinit_anchors contains an extra space between FILE: and /etc/ipa/ca.crt.
This causes kerberos client to fail when trying pkinit because the ca.crt file is not read:
$ export KRB5_TRACE=/dev/stderr $ kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' demosc1 [78677] 1493711847.77746: Getting initial credentials for demosc1@DOM-IPA.COM [78677] 1493711847.78070: Sending request (235 bytes) to DOM-IPA.COM [78677] 1493711847.78488: Initiating TCP connection to stream 10.34.58.20:88 [78677] 1493711847.79255: Sending TCP request to stream 10.34.58.20:88 [78677] 1493711847.85644: Received answer (394 bytes) from stream 10.34.58.20:88 [78677] 1493711847.85673: Terminating TCP connection to stream 10.34.58.20:88 [78677] 1493711847.85834: Response was from master KDC [78677] 1493711847.85879: Received error from KDC: -1765328359/Additional pre-authentication required [78677] 1493711847.85974: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133 [78677] 1493711847.85993: Selected etype info: etype aes256-cts, salt "rOG^ Fx(s%85k-GC", params "" [78677] 1493711847.86006: Received cookie: MIT [78677] 1493711853.360097: Preauth module pkinit (147) (info) returned: 0/Success PIV Card Holder pin (PIV_II) PIN: [78677] 1493711860.808408: PKINIT OpenSSL error: Cannot open file ' /etc/ipa/ca.crt' [78677] 1493711860.808483: PKINIT OpenSSL error: error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library [78677] 1493711860.808500: PKINIT OpenSSL error: error:25070067:DSO support routines:DSO_load:could not load the shared library [78677] 1493711860.808514: PKINIT OpenSSL error: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found [78677] 1493711860.808521: PKINIT OpenSSL error: error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library [78677] 1493711860.808527: PKINIT OpenSSL error: error:25070067:DSO support routines:DSO_load:could not load the shared library [78677] 1493711860.808533: PKINIT OpenSSL error: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found [78677] 1493711860.808545: PKINIT OpenSSL error: error:2606A074:engine routines:ENGINE_by_id:no such engine [78677] 1493711860.808552: PKINIT OpenSSL error: error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library [78677] 1493711860.808558: PKINIT OpenSSL error: error:25070067:DSO support routines:DSO_load:could not load the shared library [78677] 1493711860.808568: PKINIT OpenSSL error: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found [78677] 1493711860.808575: PKINIT OpenSSL error: error:02001002:system library:fopen:No such file or directory [78677] 1493711860.808583: PKINIT OpenSSL error: error:2006D080:BIO routines:BIO_new_file:no such file [78677] 1493711860.808589: PKINIT client has no configured identity; giving up [78677] 1493711860.808613: Preauth module pkinit (16) (real) returned: -1765328360/Cannot open file ' /etc/ipa/ca.crt': could not load the shared library [78677] 1493711860.808643: PKINIT client has no configured identity; giving up [78677] 1493711860.808655: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed [78677] 1493711860.808665: PKINIT client has no configured identity; giving up [78677] 1493711860.808677: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed Password for demosc1@DOM-IPA.COM:
Login to comment on this ticket.