[SmartcardServices-Users] OS X 10.9 (10.10) Smart Card Logon But No PKINIT
Hoit, Daniel S.
hoit2 at llnl.gov
Fri Apr 24 08:53:45 PDT 2015
Thanks Dan.
I may look into that then.
--DH
On Apr 24, 2015, at 8:48 AM, "Brodjieski, Daniel D CTR WHS EITSD (US)"
<daniel.d.brodjieski.ctr at mail.mil>
wrote:
> Hi Daniel-
> I have had similar issues when trying to leverage the built-in kerberos
> tools with Mavericks and Yosemite. I have had luck when I download and
> install the Heimdal tools directly from the project site(if I recall, it’s
> version 1.5). I know the files haven’t been updated since last October,
> but it was the only way I could get a kerberos ticket using the command
> line. After installing it into /usr/heimdal, I’m able to run:
>
> /usr/heimdal/bin/kinit -C KEYCHAIN: -D KEYCHAIN: --pk-enterprise
>
>
> And this has been working for us.
>
> Hope that’s helpful.
>
> Respectfully,
>
> Dan Brodjieski
>
>
>
> On 4/23/15, 4:36 PM, "Hoit, Daniel S." <hoit2 at llnl.gov> wrote:
>
>> Hate to drag up stuff from the past, but I wonder if this was ever
>> figured out?
>> I'm looking at the same basic situation. I can do cacloginconfig based
>> smart card login under 10.10.3, but I don't get a kerberos TGT for the
>> user, and no options that I toss at kinit seem to enable it to do a
>> pkinit.
>>
>> Here is what I have:
>> Gemalto smart card, being correctly recognized and read by the system. I
>> can see the "keychain", the certificate on board has the correct eku for
>> smart card login, and it shows as trusted. Root certificates for AD are
>> installed. Cacloginconfig.plist points to the right attributes. I can go
>> to the login window, insert the card, put in my pin, and login, but no
>> kerberos ticket is generated.
>>
>> If I run kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise
>> I get the result: kinit: krb5_pk_enterprise_certs: Failed to find PKINIT
>> certificate: Certificate not found
>> Thinking that maybe this is a search path issue, and those trailing :
>> after KEYCHAIN seems to indicate its some sort of path separator, I tried
>> the following:
>>
>> Run security list-keychains. Copy "smart card keychain" name.
>> run kinit -C KEYCHAIN:"smart card keychain name" -D KEYCHAIN: --windows
>> --pk-enterprise
>> Result: kinit: krb5_pk_enterprise_certs: PK-INIT cert didn't contain
>> principal SAN
>>
>> Now, the certificate I'm trying to use DOES have a SAN, so I don't know
>> if this is further confusing things, or helping and showing the next
>> error in the chain.
>>
>> I think I've tried every possible combination of documented switches in
>> kinit, but I can't seem to get any further.
>> Does anyone have any suggestions?
>>
>> --DH
>>
>>
>> On May 22, 2014, at 7:59 AM, "Brown, Alexander [USA]"
>> <Brown_Alexander2 at bah.com> wrote:
>>
>>> I exported the public certificate to a file and then ran "sudo security
>>> verify-cert -p pkinitClient -c <certificate-file>" (replacing
>>> <certificate-file> with the actual file name) and the message I received
>>> was "certificate verification successful".
>>>
>>>
>>> Alex
>>>
>>> -----Original Message-----
>>> From: Henry B Hotz [mailto:hbhotz at oxy.edu]
>>> Sent: Tuesday, May 20, 2014 5:02 PM
>>> To: Yoann Gini
>>> Cc: Brown, Alexander [USA]; smartcardservices-users at lists.macosforge.org
>>> Subject: [External] Re: [SmartcardServices-Users] OS X 10.9 Smart Card
>>> Logon But No PKINIT
>>>
>>> Just for completeness we should mention the command "security
>>> verify-cert -p pkinitClient". I don't think it calls any Heimdal
>>> Kerberos code, but it should tell you something about what the Apple PKI
>>> code thinks.
>>>
>>> On May 20, 2014, at 12:11 AM, Yoann Gini <yoann.gini at gmail.com> wrote:
>>>
>>>> Le 19 mai 2014 à 22:31, Henry B Hotz <hbhotz at oxy.edu> a écrit :
>>>>
>>>>> On May 16, 2014, at 3:23 PM, Yoann Gini <yoann.gini at gmail.com> wrote:
>>>>>
>>>>>>> I got the error "kinit: krb5_pk_enterprise_certs: Failed to find
>>>>>>> PKINIT certificate: Certificate not found". The smart card I am
>>>>>>> using for this is the DoD CAC.
>>>>>>
>>>>>> I've got this problem too. I've found (via reverse engineering) that
>>>>>> the Kerberos framework has some problems in the algo used to validate
>>>>>> the certificate on the card. It seems to see it but don't take it as
>>>>>> valid.
>>>>>
>>>>> Alexander's cert ought to be OK since it's at least recognized, but
>>>>> I've seen a similar apparent mis-match in processing the KDC reply
>>>>> from a Heimdal KDC. I suspect the problem is a mis-match between
>>>>> Apple's PKI framework and Heimdal.
>>>>
>>>> Yes, this can also be an explanation for what I've seen.
>>>>
>>>> When I've said « it don't take it as valid », I was talking about the
>>>> whole checkup process. Certificate validity and authorized usage.
>>>>
>>>> Of course I've try different KU and EKU without any success.
>>>
>>> At least for Heimdal, I think KU of digitalSignature is all that's
>>> required. I wonder if it's worth trying Heimdal on a Linux system for
>>> comparison? (I suggest Debian with the OpenSC card drivers if someone
>>> wants to try.) If nothing else the error messages might be clearer, and
>>> you could write a better bug report for Apple.
>>>
>>> Personal email. hbhotz at oxy.edu
>>>
>>>
>>>
>>> _______________________________________________
>>> SmartcardServices-Users mailing list
>>> SmartcardServices-Users at lists.macosforge.org
>>> https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
>>
>> _______________________________________________
>> SmartcardServices-Users mailing list
>> SmartcardServices-Users at lists.macosforge.org
>> https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
More information about the SmartcardServices-Users
mailing list