[SmartcardServices-Users] OS X 10.9 (10.10) Smart Card Logon But No PKINIT

Hoit, Daniel S. hoit2 at llnl.gov
Fri Apr 24 08:53:45 PDT 2015 

Thanks Dan.
I may look into that then.

--DH



On Apr 24, 2015, at 8:48 AM, "Brodjieski, Daniel D CTR WHS EITSD (US)"
 <daniel.d.brodjieski.ctr at mail.mil>
 wrote:

> Hi Daniel-
> I have had similar issues when trying to leverage the built-in kerberos
> tools with Mavericks and Yosemite.  I have had luck when I download and
> install the Heimdal tools directly from the project site(if I recall, it’s
> version 1.5).  I know the files haven’t been updated since last October,
> but it was the only way I could get a kerberos ticket using the command
> line.  After installing it into /usr/heimdal, I’m able to run:
> 
> /usr/heimdal/bin/kinit -C KEYCHAIN: -D KEYCHAIN: --pk-enterprise
> 
> 
> And this has been working for us.
> 
> Hope that’s helpful.
> 
> Respectfully,
> 
> Dan Brodjieski
> 
> 
> 
> On 4/23/15, 4:36 PM, "Hoit, Daniel S." <hoit2 at llnl.gov> wrote:
> 
>> Hate to drag up stuff from the past, but I wonder if this was ever
>> figured out?
>> I'm looking at the same basic situation. I can do cacloginconfig based
>> smart card login under 10.10.3, but I don't get a kerberos TGT for the
>> user, and no options that I toss at kinit seem to enable it to do a
>> pkinit.
>> 
>> Here is what I have:
>> Gemalto smart card, being correctly recognized and read by the system. I
>> can see the "keychain", the certificate on board has the correct eku for
>> smart card login, and it shows as trusted. Root certificates for AD are
>> installed. Cacloginconfig.plist points to the right attributes. I can go
>> to the login window, insert the card, put in my pin, and login, but no
>> kerberos ticket is generated.
>> 
>> If I run kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise
>> I get the result: kinit: krb5_pk_enterprise_certs: Failed to find PKINIT
>> certificate: Certificate not found
>> Thinking that maybe this is a search path issue, and those trailing :
>> after KEYCHAIN seems to indicate its some sort of path separator, I tried
>> the following:
>> 
>> Run security list-keychains. Copy "smart card keychain" name.
>> run kinit -C KEYCHAIN:"smart card keychain name" -D KEYCHAIN: --windows
>> --pk-enterprise 
>> Result: kinit: krb5_pk_enterprise_certs: PK-INIT cert didn't contain
>> principal SAN
>> 
>> Now, the certificate I'm trying to use DOES have a SAN, so I don't know
>> if this is further confusing things, or helping and showing the next
>> error in the chain.
>> 
>> I think I've tried every possible combination of documented switches in
>> kinit, but I can't seem to get any further.
>> Does anyone have any suggestions?
>> 
>> 	--DH
>> 
>> 
>> On May 22, 2014, at 7:59 AM, "Brown, Alexander [USA]"
>> <Brown_Alexander2 at bah.com> wrote:
>> 
>>> I exported the public certificate to a file and then ran "sudo security
>>> verify-cert -p pkinitClient -c <certificate-file>" (replacing
>>> <certificate-file> with the actual file name) and the message I received
>>> was "certificate verification successful".
>>> 
>>> 
>>> Alex
>>> 
>>> -----Original Message-----
>>> From: Henry B Hotz [mailto:hbhotz at oxy.edu]
>>> Sent: Tuesday, May 20, 2014 5:02 PM
>>> To: Yoann Gini
>>> Cc: Brown, Alexander [USA]; smartcardservices-users at lists.macosforge.org
>>> Subject: [External] Re: [SmartcardServices-Users] OS X 10.9 Smart Card
>>> Logon But No PKINIT
>>> 
>>> Just for completeness we should mention the command "security
>>> verify-cert -p pkinitClient". I don't think it calls any Heimdal
>>> Kerberos code, but it should tell you something about what the Apple PKI
>>> code thinks.
>>> 
>>> On May 20, 2014, at 12:11 AM, Yoann Gini <yoann.gini at gmail.com> wrote:
>>> 
>>>> Le 19 mai 2014 à 22:31, Henry B Hotz <hbhotz at oxy.edu> a écrit :
>>>> 
>>>>> On May 16, 2014, at 3:23 PM, Yoann Gini <yoann.gini at gmail.com> wrote:
>>>>> 
>>>>>>> I got the error "kinit: krb5_pk_enterprise_certs: Failed to find
>>>>>>> PKINIT certificate: Certificate not found". The smart card I am
>>>>>>> using for this is the DoD CAC.
>>>>>> 
>>>>>> I've got this problem too. I've found (via reverse engineering) that
>>>>>> the Kerberos framework has some problems in the algo used to validate
>>>>>> the certificate on the card. It seems to see it but don't take it as
>>>>>> valid.
>>>>> 
>>>>> Alexander's cert ought to be OK since it's at least recognized, but
>>>>> I've seen a similar apparent mis-match in processing the KDC reply
>>>>> from a Heimdal KDC. I suspect the problem is a mis-match between
>>>>> Apple's PKI framework and Heimdal.
>>>> 
>>>> Yes, this can also be an explanation for what I've seen.
>>>> 
>>>> When I've said « it don't take it as valid », I was talking about the
>>>> whole checkup process. Certificate validity and authorized usage.
>>>> 
>>>> Of course I've try different KU and EKU without any success.
>>> 
>>> At least for Heimdal, I think KU of digitalSignature is all that's
>>> required. I wonder if it's worth trying Heimdal on a Linux system for
>>> comparison? (I suggest Debian with the OpenSC card drivers if someone
>>> wants to try.) If nothing else the error messages might be clearer, and
>>> you could write a better bug report for Apple.
>>> 
>>> Personal email.  hbhotz at oxy.edu
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> SmartcardServices-Users mailing list
>>> SmartcardServices-Users at lists.macosforge.org
>>> https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
>> 
>> _______________________________________________
>> SmartcardServices-Users mailing list
>> SmartcardServices-Users at lists.macosforge.org
>> https://lists.macosforge.org/mailman/listinfo/smartcardservices-users

More information about the SmartcardServices-Users mailing list