the situation is that I am creating a user certificate for FreeIPA using standard certificate creation profiles. But every time I see the message "Client name mismatch" when I try to log in as a domain user using a certificate. This message, as I understand it, is sent by kerberos, but it is absolutely not clear what he does not like about my certificate. At the same time, I can safely log in as a user and get a Kerberos ticket by logging in without a certificate.
This is what the command returns to me if I try to get a Kerberos ticket by certificate:
KRB5_TRACE=/dev/stdout kinit -X X509_user_identity=FILE:/root/arantin.pem,/root/arantin.key arantin
[9541] 1649160627.927861: Getting initial credentials for [email protected]
[9541] 1649160627.928000: Sending request (167 bytes) to FREE.IPA
[9541] 1649160627.928150: Initiating TCP connection to stream 192.168.3.3:88
[9541] 1649160627.928265: Sending TCP request to stream 192.168.3.3:88
[9541] 1649160627.930303: Received answer (292 bytes) from stream 192.168.3.3:88
[9541] 1649160627.930330: Terminating TCP connection to stream 192.168.3.3:88
[9541] 1649160627.930421: Response was from master KDC
[9541] 1649160627.930477: Received error from KDC: -1765328359/Additional pre-authentication required
[9541] 1649160627.930505: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
[9541] 1649160627.930528: Selected etype info: etype aes256-cts, salt "9X\Clzp2xtK\fDk_", params ""
[9541] 1649160627.930547: Received cookie: MIT
[9541] 1649160627.930717: Preauth module pkinit (147) (info) returned: 0/Success
[9541] 1649160627.930893: PKINIT client computed kdc-req-body checksum 9/AC06024CC2069A9C1060B15A3403C8E8BD6447CC
[9541] 1649160627.930912: PKINIT client making DH request
[9541] 1649160628.173868: Preauth module pkinit (16) (real) returned: 0/Success
[9541] 1649160628.173901: Produced preauth for next request: 133, 16
[9541] 1649160628.173930: Sending request (2844 bytes) to FREE.IPA
[9541] 1649160628.174001: Initiating TCP connection to stream 192.168.3.3:88
[9541] 1649160628.174096: Sending TCP request to stream 192.168.3.3:88
[9541] 1649160628.176732: Received answer (161 bytes) from stream 192.168.3.3:88
[9541] 1649160628.176758: Terminating TCP connection to stream 192.168.3.3:88
[9541] 1649160628.176814: Response was from master KDC
[9541] 1649160628.176851: Received error from KDC: -1765328309/Client name mismatch
kinit: Client name mismatch while getting initial credentials
I need to understand how to configure certificate issuance profiles on FreeIPA so that they work and receive a kerberos ticket.
I'll answer myself. The problem was that it was necessary to add the following lines to the kdm and krb5 configs - to the realms and libdefaults blocks, respectively
You will also need to create a new profile. Instructions from FreeIPA https://www.freeipa.org/page/V4/Certificate_Profiles
Certificate example
@FreeIPA - replace it with your domain part