I've got a fresh install of Fedora 34 installed and I'm trying to configure kinit to get kerberos tickets using my smartcard. I dont want to join the domain (which is Windows AD).
I've been successful at configuring it to allow me to login with a password, but cannot get it to work with my smartcard. When i try, it prompts me for my pin, then prompts me for my password.
pkcs15-tool lists the certificates from the smart card, it does have multiple certs on it. I'm not sure if i have the correct one selected in my krb5.conf file (not really sure what to look for).
I've copied the PEM certs from the domain controller to /etc/ssl/certs/root, and the CA used from the smartcard. I've also copied the same certs to /etc/pki/nssdb using certutil
Here is my krb5.conf file
[libdefaults]
pkinit_anchors = DIR:/etc/ssl/certs/root/
pkinit_pool = DIR:/etc/ssl/certs/sub/
#pkinit_cert_match = || msScLogin,digitalSignature
#pkinit_eku_checking = kpServerAuth
pkinit_kdc_hostname = DC.DOMAIN.COM
pkinit_identities = PKCS11:opensc-pkcs11.so:slotid=0:certid=01
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = DC.DOMAIN.COM
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
[realms]
DC.DOMAIN.COM = {
kdc = DC.DOMAIN.COM:88
admin_server = DC.DOMAIN.COM
default_domain = DC.DOMAIN.COM
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
.dc.domain.com = DC.DOMAIN.COMkinit -X 509_user_identity='PKCS11:opensc-pkcs11.so' username@DC.DOMAIN.COMmodutil -add "OpenSC PKCS #11 Module" -libfile opensc-pkcs11.so -dbdir /etc/pki/nssdbERROR: Failed to add module "OpenSC PKCS #11 Module". Probable cause : "Unknown PKCS #11 error.
Asked by Frank
(11 rep)
May 19, 2021, 04:27 PM
Last activity: Dec 6, 2022, 08:35 PM
Last activity: Dec 6, 2022, 08:35 PM