hadoop-common-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: pkinit with heimdal kinit client
Date Thu, 11 Jun 2015 00:43:15 GMT
I'm surprised it was sent here. I thought it should be to krbdev@mit.edu<mailto:krbdev@mit.edu>.

Anyway be the way, it looks like an inter-operable issue between MIT KDC and Heimdal kinit,
resulting an ASN1 decoding issue. To make sure, does it work if you use MIT kinit against
the KDC?

Regards,
Kai

From: Jim Shi [mailto:hanmao_shi@apple.com]
Sent: Thursday, June 11, 2015 12:38 AM
To: user@hadoop.apache.org
Subject: pkinit with heimdal kinit client

Hi, I have MIT kdc 1.10.6 running on linux server.
My client is heimdal kinit on OS X.

on OS X:

./kinit -C FILE:client.pem,clientkey.pem --x509-anchors=FILE:cacert.pem testuser@REALM

on KDC server, I saw this error:

Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1:
NEEDED_PREAUTH: testuser@REALM for krbtgt/REALM@REALM, Additional pre-authentication required
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): preauth (pkinit) verify failure: error:0D08303A:asn1
encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error

Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1:
PREAUTH_FAILED: testuser@REALM for krbtgt/REALM@REALM, error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested
asn1 error


I checked the certificates and they looks good to me.

What else could be wrong?

Thanks for your help.

Jim






Mime
View raw message