Undefined What were you trying to do that didn't work?
I have validate my certificate on YubiKey, yet it still got
% KRB5_TRACE=/dev/stderr kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' bob [724913] 1757315503.056334: Matching bob@EXAMPLE.COM in collection with result: 0/Success [724913] 1757315503.056335: Getting initial credentials for bob@EXAMPLE.COM [724913] 1757315503.056337: Sending unauthenticated request [724913] 1757315503.056338: Sending request (187 bytes) to EXAMPLE.COM [724913] 1757315503.056339: Initiating TCP connection to stream 10.0.0.1:88 [724913] 1757315503.056340: Sending TCP request to stream 10.0.0.1:88 [724913] 1757315503.056341: Received answer (497 bytes) from stream 10.0.0.1:88 [724913] 1757315503.056342: Terminating TCP connection to stream 10.0.0.1:88 [724913] 1757315503.056343: Response was from primary KDC [724913] 1757315503.056344: Received error from KDC: -1765328359/Additional pre-authentication required [724913] 1757315503.056347: Preauthenticating using KDC method data [724913] 1757315503.056348: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) ... [724913] 1757315503.056351: PKINIT loading identity PKCS11:opensc-pkcs11.so [724913] 1757315503.056352: PKINIT opening PKCS#11 module "opensc-pkcs11.so" [724913] 1757315503.056353: PKINIT PKCS#11 slotid 0 token bob [724913] 1757315503.056354: Preauth module pkinit (147) (info) returned: 0/Success [724913] 1757315503.056355: PKINIT client received freshness token from KDC [724913] 1757315503.056356: Preauth module pkinit (150) (info) returned: 0/Success [724913] 1757315503.056357: PKINIT opening PKCS#11 module "opensc-pkcs11.so" [724913] 1757315503.056358: PKINIT PKCS#11 slotid 0 token bob bob PIN: [724913] 1757315506.064809: PKINIT loading CA certs and CRLs from FILE /var/lib/ipa-client/pki/kdc-ca-bundle.pem [724913] 1757315506.064810: PKINIT loading CA certs and CRLs from FILE /var/lib/ipa-client/pki/kdc-ca-bundle.pem [724913] 1757315506.064811: PKINIT loading CA certs and CRLs from FILE /var/lib/ipa-client/pki/ca-bundle.pem [724913] 1757315506.064812: PKINIT loading CA certs and CRLs from FILE /var/lib/ipa-client/pki/ca-bundle.pem [724913] 1757315506.064813: PKINIT client computed checksums: 49A8A358D34D4D9E829F4372EC93D53D559EDFB3 6D483B0F5729FEB48B792FC6EFDDCFDB4C7BE1F5EA6594BEB9BB544DAC0B4286 [724913] 1757315506.064815: PKINIT client making DH request [724913] 1757315506.064816: PKINIT using 2048-bit DH key exchange group [724913] 1757315506.064817: PKINIT chain cert #0: /O=EXAMPLE.COM/CN=bob [724913] 1757315506.064818: PKINIT chain cert #1: /O=EXAMPLE.COM/CN=Smartcard CA [724913] 1757315506.064819: Preauth module pkinit (16) (real) returned: 0/Success [724913] 1757315506.064820: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16) [724913] 1757315506.064821: Sending request (4268 bytes) to EXAMPLE.COM [724913] 1757315506.064822: Initiating TCP connection to stream 10.0.0.1:88 [724913] 1757315506.064823: Sending TCP request to stream 10.0.0.1:88 [724913] 1757315506.064824: Received answer (144 bytes) from stream 10.0.0.1:88 [724913] 1757315506.064825: Terminating TCP connection to stream 10.0.0.1:88 [724913] 1757315506.064826: Response was from primary KDC [724913] 1757315506.064827: Received error from KDC: -1765328318/Certificate mismatch kinit: Certificate mismatch while getting initial credentials
I have no certmaprule
% ipa certmaprule-find
--------------------------------------------
0 Certificate Identity Mapping Rules matched
--------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
I have user certificate
~~~
% ipa user-show bob --raw | grep usercertificate
usercertificate: MIID9jCCAt6gAwIBAgIED+8Ad...3xHQ==
~~~
Yet, in LDAP access: filter (usercertificate;binary=0\82\03\F60\82\02\DE\A0\03\02\01\02\02\04\0F\EF) appears, which non of the users matched.
[08/Sep/2025:17:11:46.207056538 +1000] conn=12 op=21 SRCH base="cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" [08/Sep/2025:17:11:46.207097234 +1000] conn=12 op=21 RESULT err=0 tag=101 nentries=1 wtime=0.000048581 optime=0.000041647 etime=0.000089607 [08/Sep/2025:17:11:46.207236033 +1000] conn=12 op=22 SRCH base="cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration ipaPwdMaxRepeat ipaPwdMaxSequence ipaPwdDictCheck ipaPwdUserCheck" [08/Sep/2025:17:11:46.207305633 +1000] conn=12 op=22 RESULT err=0 tag=101 nentries=1 wtime=0.000047619 optime=0.000070322 etime=0.000117119 [08/Sep/2025:17:11:46.207894983 +1000] conn=12 op=23 SRCH base="cn=certmap,dc=example,dc=com" scope=2 filter="(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))" attrs="objectClass ipaCertMapPriority ipaCertMapMatchRule ipaCertMapMapRule associatedDomain ipaEnabledFlag" [08/Sep/2025:17:11:46.207946319 +1000] conn=12 op=23 RESULT err=0 tag=101 nentries=0 wtime=0.000054522 optime=0.000052407 etime=0.000106378 [08/Sep/2025:17:11:46.208292525 +1000] conn=12 op=24 SRCH base="dc=example,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=bob@EXAMPLE.COM)(krbPrincipalName:caseIgnoreIA5Match:=bob@EXAMPLE.COM))(usercertificate;binary=0\82\03\F60\82\02\DE\A0\03\02\01\02\02\04\0F\EF))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink ipaIdpConfigLi..." [08/Sep/2025:17:11:46.208526412 +1000] conn=12 op=24 RESULT err=0 tag=101 nentries=0 wtime=0.000108923 optime=0.000236331 etime=0.000343932
As no entry found, krb5kdc.log also showed No matching entry found
Sep 08 17:11:46 host0.example.com krb5kdc[724004](info): Initializing IPA certauth plugin. Sep 08 17:11:46 host0.example.com krb5kdc[724004](info): Initializing IPA certauth plugin. Sep 08 17:11:46 host0.example.com krb5kdc[724004](info): No valid certificate mapping and matching rule found, trying to use the default rule. Sep 08 17:11:46 host0.example.com krb5kdc[724004](info): No valid certificate mapping and matching rule found, trying to use the default rule. Sep 08 17:11:46 host0.example.com krb5kdc[724004](info): Doing certauth authorize for [bob@EXAMPLE.COM] Sep 08 17:11:46 host0.example.com krb5kdc[724004](info): Doing certauth authorize for [bob@EXAMPLE.COM] Sep 08 17:11:46 host0.example.com krb5kdc[724004](info): Got cert filter [(userCertificate;binary=\30\82\03\f6\30\82\02\de\a0\03\02\01\02\02\04\0f\ef\00...\70\61\2f\63\72\6c\2f\4d\61\73\74\65 Sep 08 17:11:46 host0.example.com krb5kdc[724004](info): Got cert filter [(userCertificate;binary=\30\82\03\f6\30\82\02\de\a0\03\02\01\02\02\04\0f\ef\00...\70\61\2f\63\72\6c\2f\4d\61\73\74\65 Sep 08 17:11:46 host0.example.com krb5kdc[724004](info): No matching entry found Sep 08 17:11:46 host0.example.com krb5kdc[724004](info): No matching entry found Sep 08 17:11:46 host0.example.com krb5kdc[724004](info): preauth (pkinit) verify failure: Certificate mismatch Sep 08 17:11:46 host0.example.com krb5kdc[724004](info): preauth (pkinit) verify failure: Certificate mismatch Sep 08 17:11:46 host0.example.com krb5kdc[724004](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.0.0.1: PREAUTH_FAILED: bob@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Certificate mismatch Sep 08 17:11:46 host0.example.com krb5kdc[724004](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.0.0.1: PREAUTH_FAILED: bob@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Certificate mismatch
Consequently, it failed the kinit.
What is the impact of this issue to you?
- Cannot use Smartcard to kinit
- Cannot use Smartcard to login
Please provide the package NVR for which the bug is seen:
krb5-libs-1.21.3-8.el10_0.x86_64 krb5-pkinit-1.21.3-8.el10_0.x86_64 krb5-server-1.21.3-8.el10_0.x86_64 krb5-workstation-1.21.3-8.el10_0.x86_64 python3-krb5-0.7.0-1.el10_0.x86_64 sssd-krb5-2.10.2-3.el10_0.2.x86_64 sssd-krb5-common-2.10.2-3.el10_0.2.x86_64 ipa-client-4.12.2-15.el10_0.1.x86_64 ipa-client-common-4.12.2-15.el10_0.1.noarch ipa-client-encrypted-dns-4.12.2-15.el10_0.1.x86_64 ipa-common-4.12.2-15.el10_0.1.noarch ipa-server-4.12.2-15.el10_0.1.x86_64 ipa-server-common-4.12.2-15.el10_0.1.noarch ipa-server-dns-4.12.2-15.el10_0.1.noarch
Smartcard: Yubikey 5C
However, similar configuratation works in RHEL 9, I can get the corresponding ticket with same smartcard.
How reproducible is this bug?:
Always
Steps to reproduce
- KRB5_TRACE=/dev/stderr kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' bob
- Input correct PIN
Expected results
Kerberos ticket obtained.
Actual results
Failed with error message
kinit: Certificate mismatch while getting initial credentials
