attribute to require pkinit?

Nicolas Williams Nicolas.Williams at
Wed Nov 29 13:18:24 EST 2006

On Wed, Nov 29, 2006 at 12:55:59PM -0500, Sam Hartman wrote:
> no, I think he means a principal with no keys.
> This would be a reasonable approach, but it turns out it would at
> least break the LDAP backend.  Fixing the LDAP backend would probably
> be desirable.

I've long been annoyed that one could not create a principal without

And no, this isn't the right answer, since to me a principal without
keys could mean other things: e.g., that this principal's long-term keys
haven't been set because enrollment/migration hasn't completed yet.


More information about the krbdev mailing list