Hi Kevin,

Thank you for the previous replay which you had sent me.

/################ YOUR REPLAY #################/

Unfortunately, I don't have the time right now to guide you. Below is
an example of my test KDC's kdc.conf and client's krb5.conf. As Russ
pointed out, your realm name is _highly_ unconventional, and is highly
likely to cause problems. I don't know if it has anything to do with
any problems you are currently seeing. Conventionally, your realm
name should be GLOBALEDGESOFT.COM (upper-case of your domain name).
Besides that, your config files look reasonable. Without seeing the
contents of the /ca and /kdc directories, and the contents of the
certificates within them, I can't say more.

The contents of the cert and key files are expected to be in PEM
format. Their names aren't important. See
http://www.mit.edu/~kerberos/krb5-1....rb5-admin.html
for more info on the config options.

You *may* get more help by compiling the pkinit preauth plugin code
with -DDEBUG, which will cause it to print more information to stdout.

K.C.

---- example kdc.conf ----

[kdcdefaults]
default_realm = KWCTEST.CITI.UMICH.EDU
kdc_ports = 750,88
kdc_tcp_ports = 88
v4_mode = nopreauth

[realms]
KWCTEST.CITI.UMICH.EDU = {
database_name = /usr/local/krb5/var/krb5kdc/KWCTEST/principal
admin_keytab = /usr/local/krb5/var/krb5kdc/KWCTEST/kadm5.keytab
acl_file = /usr/local/krb5/var/krb5kdc/KWCTEST/kadm5.acl
dict_file = /usr/local/krb5/var/krb5kdc/kadm5.dict
key_stash_file =
/usr/local/krb5/var/krb5kdc/KWCTEST/.k5.KWCTEST.CITI.UMICH.EDU
supported_enctypes = aes256-cts:normal aes128-cts:normal
des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:afs3
kadmind_port = 749
pkinit_pool = FILE:/etc/grid-security/certificates/ca-intermediates.crt
pkinit_revoke = DIR:/etc/grid-security/certificates
pkinit_identity=FILE:/usr/local/krb5/var/krb5kdc/KWCTEST/kwctest_KDC.crt,/usr/local/krb5/var/krb5kdc/KWCTEST/kwctest_KDC.key
pkinit_anchors=FILE:/etc/grid-security/certificates/ca-bundle.crt
pkinit_anchors=FILE:/etc/grid-security/certificates/doe-ca.crt
pkinit_allow_upn = true
pkinit_eku_checking = none
}


---- example krb5.conf ----
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = KWCTEST.CITI.UMICH.EDU
dns_lookup_realm = true
dns_lookup_kdc = true
noaddresses = true
no-addresses = true
forwardable = true
pkinit_anchors = DIR:/etc/grid-security/certificates

KWCTEST.CITI.UMICH.EDU = {
pkinit_require_eku = true
pkinit_require_krbtgt_otherName = true
pkinit_require_hostname_match = true
}

[realms]

KWCTEST.CITI.UMICH.EDU = {
kdc = rock.citi.umich.edu
admin_server = rock.citi.umich.edu
}

[domain_realm]
rock.citi.umich.edu = KWCTEST.CITI.UMICH.EDU
roll.citi.umich.edu = KWCTEST.CITI.UMICH.EDU
/#################### End of Replay ############### /

It will really be helpful, if i can get steps/links on generating certificates for CA, kdc and client.
I am not very confident with the way i am generating the certificates and placing them in their profiles.
The method i have used to generate certificates is as follows

/************ CA certificates ***********/
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

at the end of this i have ca.crt and ca.key which is self signed

/************* END of CA crt **************/

/************* Client certificate *********/

openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -signkey ca.key -extensions
client_cert -out client.crt

at the end of this i have client.crt and client.key which is signed by the
ca.key

/************* END of client crt ***********/

/************* KDC certificate *************/

openssl genrsa -out kdc.key 2048
openssl req -new -key kdc.key -out kdc.csr
openssl x509 -req -days 365 -in kdc.csr -signkey ca.key -extensions kdc_cert
-out kdc.crt

/************* END of KDC crt **************/

The content of /ca is ca.crt and ca.key , /kdc is kdc.crt and kdc.key , /client is client.crt and client.key
which you had asked in the previous replay.
Looking forward for to your replay regarding generating certificates, Can i get the steps which you
have used to generate the mentioned certificates in the provided example files kdc.conf and krb5.conf
(previous replay).Can i also know what are the certificates in DIR:/etc/grid-security/certificates and
i will be helpful to know the way, the kinit program selects the certificates or the criteria to be met
to select the certificates to send in AS_REQ.
Mean while i will compile the kdc with -DDEBUG and try to find a solution.

Thank you for your precious time and support...

with regards
naveen