Re: [SmartcardServices-Users] Process behind /etc/cacloginconfig.plist for Windows authentication ?
Hi all, First of all, I’m sorry for the noise, after re reading my whole config and my command line history I’ve see my error. On my SmartCard I’ve made a mistake when loading the certificate. I’ve used the wrong PIN ID to protect the private key. So, my authentication is now working. However, like Henry pointing out, the may have some difference between opening a session and getting a TGT… And actually (on a 10.9), the Kerberos didn’t get the TGT from the login. Klist ask me for a password. Does someone did successfully enable PKINIT/Kerberos things ? Thanks for your interest, of course, if I end up with a working config, I will write a blog article :-) Yoann
Hi Yoann, I'd love reading a guide/blog post about this. If needed I'd be able to host such a thing.
On 14 nov 2013, at 22:51, Yoann Gini <yoann.gini@gmail.com> wrote:
Hi all,
First of all, I’m sorry for the noise, after re reading my whole config and my command line history I’ve see my error. On my SmartCard I’ve made a mistake when loading the certificate. I’ve used the wrong PIN ID to protect the private key.
So, my authentication is now working.
However, like Henry pointing out, the may have some difference between opening a session and getting a TGT…
And actually (on a 10.9), the Kerberos didn’t get the TGT from the login. Klist ask me for a password.
Does someone did successfully enable PKINIT/Kerberos things ?
Thanks for your interest, of course, if I end up with a working config, I will write a blog article :-)
Yoann _______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
I'm pretty sure this is supposed to work, but I'm not upgrading to 10.9 for a while, so I guess I can't comment as much as I'd like. I do know there exist people who did it with 10.8, but have no direct contact with them. If you're doing it with an AD Kerberos service, then there are some off-topic configuration settings that are probably needed. Even more if you want to use AD with a cross-realm trust to a PKINIT-supporting non-AD Kerberos. On Nov 14, 2013, at 1:51 PM, Yoann Gini <yoann.gini@gmail.com> wrote:
And actually (on a 10.9), the Kerberos didn’t get the TGT from the login. Klist ask me for a password.
Does someone did successfully enable PKINIT/Kerberos things ?
Personal email. hbhotz@oxy.edu
participants (3)
-
Henry B Hotz
-
Sami M'Barek
-
Yoann Gini