Hello, I have two questions. 1. Based on reading posts from this list and in other places, we have pieced together a cac login solution using the pubkeyhash method. We do not currently have a directory service implemented. However, I¹m curious if there is a way to utilize attribute matching with the local directory service on a MAC OS 10.6.6 client? The pubkeyhash cac login option is working great, however we would like to implement a solution where the AuthenticationAuthority field does not need to be updated every time a user is given a new smartcard. 2. I read a few posts about pkinit being available in 10.6.2 and later, and specifically a security vulnerability with pkinit which was fixed in 10.6.6. I just want to verify that the security vulnerability has been patched. Also I have not been able to successfully implement the method described in this post: http://lists.macosforge.org/pipermail/smartcardservices-users/2010-July/0001 17.html by Shawn Geddis - I¹ve been using the command: /System/Library/PrivateFrameworks/Heimdal.frameworks/Helpers/kinit C KEYCHAIN: -D: KEYCHAIN: --pk-enterprise for testing as described in the post above, however when I use -pk-enterprise option it connects to our KDC requesting a ticket for the PersonIdentifier\@mil instead of asking for my username like username@realm. When I use the -enterprise option instead of pk-enterprise it correctly asks our KDC for a ticket for username@realm. However I keep getting PREAUTH_FAILED errors. Also if we do get the test command working with the enterprise instead of pk-enterprise, is that still a valid test for getting a kerberos ticket at login with a smartcard? As a side note just running kinit works fine with no issues. Our linux machines have pkinit working with a subject mapping to the common name on the card to their linux username. Is there a way to do a subject mapping like this in OS 10.6.6? Please excuse any terms I messed up I¹m another person who has been getting a crash course in smart cards. Any help would be greatly appreciated. Thank you _______________________ David Bruno Security +, RHCT, CCNA, CCA ARL/CISD 410-278-8929 david.bruno@us.army.mil