You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-user@hadoop.apache.org by Jim Shi <ha...@apple.com> on 2015/06/10 18:38:11 UTC
pkinit with heimdal kinit client
Hi, I have MIT kdc 1.10.6 running on linux server.
My client is heimdal kinit on OS X.
on OS X:
./kinit -C FILE:client.pem,clientkey.pem --x509-anchors=FILE:cacert.pem testuser@REALM
on KDC server, I saw this error:
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: NEEDED_PREAUTH: testuser@REALM for krbtgt/REALM@REALM, Additional pre-authentication required
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): preauth (pkinit) verify failure: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: PREAUTH_FAILED: testuser@REALM for krbtgt/REALM@REALM, error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
I checked the certificates and they looks good to me.
What else could be wrong?
Thanks for your help.
Jim
Re: pkinit with heimdal kinit client
Posted by Jim Shi <ha...@apple.com>.
Kai,
I had no issue with MIT kinit client. Only with OS X kinit.
Thanks
Jim
> On Jun 10, 2015, at 5:43 PM, Zheng, Kai <ka...@intel.com> wrote:
>
> I’m surprised it was sent here. I thought it should be to krbdev@mit.edu <ma...@mit.edu>.
>
> Anyway be the way, it looks like an inter-operable issue between MIT KDC and Heimdal kinit, resulting an ASN1 decoding issue. To make sure, does it work if you use MIT kinit against the KDC?
>
> Regards,
> Kai
> <>
> From: Jim Shi [mailto:hanmao_shi@apple.com]
> Sent: Thursday, June 11, 2015 12:38 AM
> To: user@hadoop.apache.org
> Subject: pkinit with heimdal kinit client
>
> Hi, I have MIT kdc 1.10.6 running on linux server.
> My client is heimdal kinit on OS X.
>
> on OS X:
>
> ./kinit -C FILE:client.pem,clientkey.pem --x509-anchors=FILE:cacert.pem testuser@REALM
>
> on KDC server, I saw this error:
>
> Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: NEEDED_PREAUTH: testuser@REALM for krbtgt/REALM@REALM, Additional pre-authentication required
> Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): preauth (pkinit) verify failure: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
>
> Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: PREAUTH_FAILED: testuser@REALM for krbtgt/REALM@REALM, error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
>
>
> I checked the certificates and they looks good to me.
>
> What else could be wrong?
>
> Thanks for your help.
>
> Jim
Re: pkinit with heimdal kinit client
Posted by Jim Shi <ha...@apple.com>.
Kai,
I had no issue with MIT kinit client. Only with OS X kinit.
Thanks
Jim
> On Jun 10, 2015, at 5:43 PM, Zheng, Kai <ka...@intel.com> wrote:
>
> I’m surprised it was sent here. I thought it should be to krbdev@mit.edu <ma...@mit.edu>.
>
> Anyway be the way, it looks like an inter-operable issue between MIT KDC and Heimdal kinit, resulting an ASN1 decoding issue. To make sure, does it work if you use MIT kinit against the KDC?
>
> Regards,
> Kai
> <>
> From: Jim Shi [mailto:hanmao_shi@apple.com]
> Sent: Thursday, June 11, 2015 12:38 AM
> To: user@hadoop.apache.org
> Subject: pkinit with heimdal kinit client
>
> Hi, I have MIT kdc 1.10.6 running on linux server.
> My client is heimdal kinit on OS X.
>
> on OS X:
>
> ./kinit -C FILE:client.pem,clientkey.pem --x509-anchors=FILE:cacert.pem testuser@REALM
>
> on KDC server, I saw this error:
>
> Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: NEEDED_PREAUTH: testuser@REALM for krbtgt/REALM@REALM, Additional pre-authentication required
> Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): preauth (pkinit) verify failure: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
>
> Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: PREAUTH_FAILED: testuser@REALM for krbtgt/REALM@REALM, error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
>
>
> I checked the certificates and they looks good to me.
>
> What else could be wrong?
>
> Thanks for your help.
>
> Jim
Re: pkinit with heimdal kinit client
Posted by Jim Shi <ha...@apple.com>.
Kai,
I had no issue with MIT kinit client. Only with OS X kinit.
Thanks
Jim
> On Jun 10, 2015, at 5:43 PM, Zheng, Kai <ka...@intel.com> wrote:
>
> I’m surprised it was sent here. I thought it should be to krbdev@mit.edu <ma...@mit.edu>.
>
> Anyway be the way, it looks like an inter-operable issue between MIT KDC and Heimdal kinit, resulting an ASN1 decoding issue. To make sure, does it work if you use MIT kinit against the KDC?
>
> Regards,
> Kai
> <>
> From: Jim Shi [mailto:hanmao_shi@apple.com]
> Sent: Thursday, June 11, 2015 12:38 AM
> To: user@hadoop.apache.org
> Subject: pkinit with heimdal kinit client
>
> Hi, I have MIT kdc 1.10.6 running on linux server.
> My client is heimdal kinit on OS X.
>
> on OS X:
>
> ./kinit -C FILE:client.pem,clientkey.pem --x509-anchors=FILE:cacert.pem testuser@REALM
>
> on KDC server, I saw this error:
>
> Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: NEEDED_PREAUTH: testuser@REALM for krbtgt/REALM@REALM, Additional pre-authentication required
> Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): preauth (pkinit) verify failure: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
>
> Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: PREAUTH_FAILED: testuser@REALM for krbtgt/REALM@REALM, error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
>
>
> I checked the certificates and they looks good to me.
>
> What else could be wrong?
>
> Thanks for your help.
>
> Jim
Re: pkinit with heimdal kinit client
Posted by Jim Shi <ha...@apple.com>.
Kai,
I had no issue with MIT kinit client. Only with OS X kinit.
Thanks
Jim
> On Jun 10, 2015, at 5:43 PM, Zheng, Kai <ka...@intel.com> wrote:
>
> I’m surprised it was sent here. I thought it should be to krbdev@mit.edu <ma...@mit.edu>.
>
> Anyway be the way, it looks like an inter-operable issue between MIT KDC and Heimdal kinit, resulting an ASN1 decoding issue. To make sure, does it work if you use MIT kinit against the KDC?
>
> Regards,
> Kai
> <>
> From: Jim Shi [mailto:hanmao_shi@apple.com]
> Sent: Thursday, June 11, 2015 12:38 AM
> To: user@hadoop.apache.org
> Subject: pkinit with heimdal kinit client
>
> Hi, I have MIT kdc 1.10.6 running on linux server.
> My client is heimdal kinit on OS X.
>
> on OS X:
>
> ./kinit -C FILE:client.pem,clientkey.pem --x509-anchors=FILE:cacert.pem testuser@REALM
>
> on KDC server, I saw this error:
>
> Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: NEEDED_PREAUTH: testuser@REALM for krbtgt/REALM@REALM, Additional pre-authentication required
> Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): preauth (pkinit) verify failure: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
>
> Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: PREAUTH_FAILED: testuser@REALM for krbtgt/REALM@REALM, error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
>
>
> I checked the certificates and they looks good to me.
>
> What else could be wrong?
>
> Thanks for your help.
>
> Jim
RE: pkinit with heimdal kinit client
Posted by "Zheng, Kai" <ka...@intel.com>.
I'm surprised it was sent here. I thought it should be to krbdev@mit.edu<ma...@mit.edu>.
Anyway be the way, it looks like an inter-operable issue between MIT KDC and Heimdal kinit, resulting an ASN1 decoding issue. To make sure, does it work if you use MIT kinit against the KDC?
Regards,
Kai
From: Jim Shi [mailto:hanmao_shi@apple.com]
Sent: Thursday, June 11, 2015 12:38 AM
To: user@hadoop.apache.org
Subject: pkinit with heimdal kinit client
Hi, I have MIT kdc 1.10.6 running on linux server.
My client is heimdal kinit on OS X.
on OS X:
./kinit -C FILE:client.pem,clientkey.pem --x509-anchors=FILE:cacert.pem testuser@REALM
on KDC server, I saw this error:
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: NEEDED_PREAUTH: testuser@REALM for krbtgt/REALM@REALM, Additional pre-authentication required
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): preauth (pkinit) verify failure: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: PREAUTH_FAILED: testuser@REALM for krbtgt/REALM@REALM, error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
I checked the certificates and they looks good to me.
What else could be wrong?
Thanks for your help.
Jim
RE: pkinit with heimdal kinit client
Posted by "Zheng, Kai" <ka...@intel.com>.
I'm surprised it was sent here. I thought it should be to krbdev@mit.edu<ma...@mit.edu>.
Anyway be the way, it looks like an inter-operable issue between MIT KDC and Heimdal kinit, resulting an ASN1 decoding issue. To make sure, does it work if you use MIT kinit against the KDC?
Regards,
Kai
From: Jim Shi [mailto:hanmao_shi@apple.com]
Sent: Thursday, June 11, 2015 12:38 AM
To: user@hadoop.apache.org
Subject: pkinit with heimdal kinit client
Hi, I have MIT kdc 1.10.6 running on linux server.
My client is heimdal kinit on OS X.
on OS X:
./kinit -C FILE:client.pem,clientkey.pem --x509-anchors=FILE:cacert.pem testuser@REALM
on KDC server, I saw this error:
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: NEEDED_PREAUTH: testuser@REALM for krbtgt/REALM@REALM, Additional pre-authentication required
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): preauth (pkinit) verify failure: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: PREAUTH_FAILED: testuser@REALM for krbtgt/REALM@REALM, error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
I checked the certificates and they looks good to me.
What else could be wrong?
Thanks for your help.
Jim
RE: pkinit with heimdal kinit client
Posted by "Zheng, Kai" <ka...@intel.com>.
I'm surprised it was sent here. I thought it should be to krbdev@mit.edu<ma...@mit.edu>.
Anyway be the way, it looks like an inter-operable issue between MIT KDC and Heimdal kinit, resulting an ASN1 decoding issue. To make sure, does it work if you use MIT kinit against the KDC?
Regards,
Kai
From: Jim Shi [mailto:hanmao_shi@apple.com]
Sent: Thursday, June 11, 2015 12:38 AM
To: user@hadoop.apache.org
Subject: pkinit with heimdal kinit client
Hi, I have MIT kdc 1.10.6 running on linux server.
My client is heimdal kinit on OS X.
on OS X:
./kinit -C FILE:client.pem,clientkey.pem --x509-anchors=FILE:cacert.pem testuser@REALM
on KDC server, I saw this error:
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: NEEDED_PREAUTH: testuser@REALM for krbtgt/REALM@REALM, Additional pre-authentication required
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): preauth (pkinit) verify failure: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: PREAUTH_FAILED: testuser@REALM for krbtgt/REALM@REALM, error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
I checked the certificates and they looks good to me.
What else could be wrong?
Thanks for your help.
Jim
RE: pkinit with heimdal kinit client
Posted by "Zheng, Kai" <ka...@intel.com>.
I'm surprised it was sent here. I thought it should be to krbdev@mit.edu<ma...@mit.edu>.
Anyway be the way, it looks like an inter-operable issue between MIT KDC and Heimdal kinit, resulting an ASN1 decoding issue. To make sure, does it work if you use MIT kinit against the KDC?
Regards,
Kai
From: Jim Shi [mailto:hanmao_shi@apple.com]
Sent: Thursday, June 11, 2015 12:38 AM
To: user@hadoop.apache.org
Subject: pkinit with heimdal kinit client
Hi, I have MIT kdc 1.10.6 running on linux server.
My client is heimdal kinit on OS X.
on OS X:
./kinit -C FILE:client.pem,clientkey.pem --x509-anchors=FILE:cacert.pem testuser@REALM
on KDC server, I saw this error:
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: NEEDED_PREAUTH: testuser@REALM for krbtgt/REALM@REALM, Additional pre-authentication required
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): preauth (pkinit) verify failure: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: PREAUTH_FAILED: testuser@REALM for krbtgt/REALM@REALM, error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
I checked the certificates and they looks good to me.
What else could be wrong?
Thanks for your help.
Jim