[Samba] Fwd: Re: Samba 4 & Smart card logon

Charalampos Anargyrou charalampos.anargyrou at gmail.com
Tue Jul 3 08:50:55 MDT 2012 

I still have no clue what's going on.

In my attempt to find out what's happening, I found out I haven't done 
neither 4.23.1 nor 4.23.2 in the Heimdal guide ( 
http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html )
So I tried 4.23.2 i.e.:

kadmin modify --pkinit-acl="CN=myuser,O=mycompany,C=GR" 
myuser at SERVER.CENTOSDOMAIN

and I received this error:

kadmin: invalid option -- '-'


I then tried to do:

kadmin

to get into interactive mode so I can issue the modify command but I 
receive this error:

Authenticating as principal Administrator/admin at SERVER.CENTOSDOMAIN with 
password.
kadmin: Client not found in Kerberos database while initializing kadmin 
interface

I was puzzled with the Administrator/admin so next I tried:

kadmin -p Administrator at SERVER.CENTOSDOMAIN

with yet another error:

Authenticating as principal Administrator at SERVER.CENTOSDOMAIN with password.
kadmin: Database error! Required KADM5 principal missing while 
initializing kadmin interface


I also tried enabling debugging by using the instructions in 
http://www.h5l.org/manual/HEAD/info/heimdal/Debugging-Kerberos-problems.html 
but I don't see any error messages


1) How can I enable debugging? I'm on CentOS 6.2
2) According to the above, does it look like my installation is broken? 
Or is there something I am missing?


Kind Regards,
Charalampos


-------- Original Message --------
Subject: 	Re: [Samba] Samba 4 & Smart card logon
Date: 	Tue, 03 Jul 2012 13:49:06 +0300
From: 	Charalampos Anargyrou <charalampos.anargyrou at gmail.com>
To: 	Andrew Bartlett <abartlet at samba.org>
CC: 	samba at lists.samba.org



Which certificate you mean?
myuser.pem or the Kerberos certificate?


On 7/3/12 12:56 PM, Andrew Bartlett wrote:
> On Tue, 2012-07-03 at 12:25 +0300, Charalampos Anargyrou wrote:
>> Hello Andrew,
>>
>> Thanks for your reply.
>>
>> Yes I could fill in the wiki if I manage to make it work :-)
>>
>>
>> I'm trying to test the Kerberos configuration with the certificates I
>> have created
>> I'm getting this error:
>>
>> samba4kinit: krb5_pk_enterprise_certs: Failed to find PKINIT
>> certificate: Certificate not found
>>
>> using this command:
>>
>> samba4kinit --pk-user=FILE:/home/myuser/Downloads/myuser.pem --pk-enterprise
>>
>>
>> Does the error mean my certificates are wrong or does it mean I have not
>> configured kerberos properly?
> My guess is that the client running samba4kinit isn't finding the
> certificate correctly.
>

More information about the samba mailing list