[38875] in Kerberos
RE: kinit failing when AD user joining using smaercard PIN on ubuntu
daemon@ATHENA.MIT.EDU (Pal, Vikram)
Wed Mar 3 14:58:19 2021
From: "Pal, Vikram" <Vikram.Yadav@dell.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Date: Tue, 2 Mar 2021 10:47:36 +0000
Message-ID: <SJ0PR19MB449514467E9DA5DFD989549CB9999@SJ0PR19MB4495.namprd19.prod.outlook.com>
In-Reply-To: <SJ0PR19MB44954938E5C2E39DD9C5540FB9999@SJ0PR19MB4495.namprd19.prod.outlook.com>
Content-Language: en-US
MIME-Version: 1.0
Cc: "Shastry, Shashiraja" <shashiraja.shastry@dell.com>,
"Agrawal,
Rajeev" <rajeev.a@dell.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
-----Original Message-----
From: Pal, Vikram
Sent: Tuesday, March 2, 2021 2:06 PM
To: Ken Hornstein
Cc: kerberos@mit.edu
Subject: RE: kinit failing when AD user joining using smaercard PIN on ubuntu 20.04
Hello Ken,
I tried again according to your suggestion but I'm not getting any logging info in =/tmp/kinit.log
Am I missing something here?
Regards,
Vikram
-----Original Message-----
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Sent: Tuesday, March 2, 2021 1:10 AM
To: Pal, Vikram
Cc: kerberos@mit.edu
Subject: Re: kinit failing when AD user joining using smaercard PIN on ubuntu 20.04
[EXTERNAL EMAIL]
>We are login to Ubuntu 20.04 device using smartcard PIN. We are able to
>login as AD user successfully. We are using Windows 2019 AD Server.
So, I don't know what this means. I suspect that Kerberos isn't working correctly here and you'll falling back to something else.
>We tried kinit manually but it's throwing error. It asks for PIN but
>immediately asks for password without waiting for pin to be entered.
So ... there are a LOT of ways for PKINIT to go wrong (that's the protocol you use when using a smartcard), especially when a PKCS#11 module is involved, and some of the failure modes end up causing weird things to happen (and many of them cause fallbacks to a password prompt). But I'm not sure why you're running "sudo kinit [...]"; shouldn't you just run kinit without sudo? I am wondering if sudo is causing the PIN prompt and kinit is giving your the password prompt.
My suggestion is to run kinit again with the environment variable KRB5_TRACE set to point to a debug file. E.g:
env KRB5_TRACE=/tmp/kinit.log kinit [extra kinit options here]
That might point you to what is going wrong.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
