What I am looking for is the configuration of the MacOSX client.   When I monitor with wireshark the only time I can see a pkinit AS_REQ is using the commandline:

            kinit -C KEYCHAIN:

But only after I have already unlocked the PIV keychain.  

The MacOSX 10.9.5 or 10.10 systems have an /etc/krb5.conf that has the following pkinit configuration, under the realms stanza for both an MIT KDC and Windows KDC who are enabled for pkinit. Note you don't need the "krbtgt/realm@realm" in the KDC cert SAN if you set pkinit_require_krbtgt_otherName to false:

  pkinit_identities = KEYCHAIN:
  pkinit_anchors=FILE:/usr/local/kerberos/config/etc/pkinit/certificates/trusted-ca
  pkinit_require_crl_checking = false
  pkinit_kdc_hostname = Hostname_of_KDC
  pkinit_cert_match = &&<EKU>msScLogin,<KU>digitalSignature
  pkinit_cert_match = <SAN>.*@FEDIDCARD.GOV
  pkinit_require_krbtgt_otherName = false

The problem is I never see pam_opendirectory or pam_krb5 make a Kerberos authentication call (AS_REQ) using the PKINIT preauth data (image below).

After installing the smartcard services and doing the steps below, I can use the PIV for login and for screenlock, but no Kerberos calls take place.

• security authorizationdb smartcard enable
• Insert smartcard for USER
• sc_auth accept -u USER –k PIV

An Apple document talked about configuring /etc/cacloginconfig.plist, which I did, but no change.

So I am curious if anyone has it working outside of using the kinit commandline?

Thanks

      Glenn
 


Kerberos AS_REQ using pkinit preauth data (padata):





On 8/30/15 9:12 PM, Burgin, Thomas (NIH/NIMH) [C] wrote: