[SmartcardServices-Users] PKINIT against Active Directory KDC

[Eino Tuominen]

Hi all,

I've been trying to get PK-INIT working with macOS High Sierra (10.13.2), Active Directory and Yubikeys. Currently I'm stuck at how I can get kinit to find correct certificates from keychain. I've managed to get things working with certificate and private key in a PEM-file. (kinit --pk-enterprise --windows -C FILE:/tmp/test.pem) But, if I store the certificate and key in Keychain and try the same command with kinit --pk-enterprise --windows -C KEYCHAIN: I get an error: 

kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found

The certificate looks like this:

$ /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/hxtool print FILE:/tmp/test.pem 
cert: 0
    friendly name: CN=Example Account,OU=People,DC=utu,DC=fi
    private key: yes
    issuer:  "CN=University of Turku Issuing CA Class 1,DC=utu,DC=fi"
    subject: "CN=Example Account,OU=People,DC=utu,DC=fi"
    serial: 5500008FD546F070AD0E2F882C000000008FD5
    keyusage: keyEncipherment, digitalSignature
    persistent: 5BDC16DB57748F5B0164151D8BE4E367C459462A

$ /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/hxtool validate FILE:/tmp/ollopi.pem 
checking extention: extKeyUsage
checking extention: keyUsage
checking extention: subjectKeyIdentifier
checking extention: authorityKeyIdentifier
checking extention: cRLDistributionPoints
checking extention: authorityInfoAccess
	Critical not set on MUST
1.3.6.1.5.5.7.48.21.3.6.1.5.5.7.48.2checking extention: subjectAltName

The only difference when I use "hxtool print KEYCHAIN:" I see is "private key: no", although the private key is shown with the certificate in Keychain Access.

I'd appreciate if someone could offer any clue on how to fix this or debug it further. Oh, and if someone could point me to more detailed documentation or how-to-articles on SmartCardServices, AttributeMapping and UserSelector I'd be very thankful. Man pages are rather vague on this.

-- 
  Eino Tuominen