>I'm testing out PKINIT and encountered this error in the subject line. >Does anyone know what it's related to and/or how to debug and resolve >it further? > >So far, PKINIT talks to the KDC, receives an MIT cookie and loads the >identity files: client0.pem and clientkey0.pem being invoked by 'kinit >-X X509_user_identity=FILE:/client0.pem,/clientkey0.pem". I'm still >being requested to provide a password, which I understand should not >be required with PKINIT.
About a half-dozen things could cause that error; for example, if you didn't configure PKINIT with the correct root and intermediate certificates so the client couldn't build a complete chain back to a trusted root, you'd get that. I was going to suggest you use the KRB5_TRACE environment variable to get further debug output, but I think if you got that message then you already did that; what is causing the root issue should be in that trace information (before that message). BTW, I believe that if your client key is protected with a password then you might get a password prompt for the key. --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
