trouble with pkinit

Geoffrey Thorpe geoff at geoffthorpe.net
Fri Apr 17 18:05:20 EDT 2026 

Hi all

I previously posted about my "HCP" interest in MIT kerberos (porting it 
over from Heimdal) on the kerberos at mit.edu mail list;
https://mailman.mit.edu/pipermail/kerberos/2026-March/023321.html

I've made a little progress since then. Not much, but a little. I've 
managed to teach it to build two variants of the base image, the 
existing one (which is Heimdal-based) plus a new alternative, which has 
MIT kerberos (and rra/kstart!) and none of the Heimdal stuff. And from 
there, the first baby-step is try to get the "alicia" workload of the 
test use-case to run on the MIT variant. (I.e. to leave all the 
infrastructural elements, KDCs and what-not, running on the 
Heimdal-based image, and just move one of the test clients over to MIT.)

The "alicia" workload uses kinit (with a pkinit client cert that is 
provisioned by the HCP machinery) to get a TGT and then tries to use 
that to connect to another workload over ssh (using GSS). When running 
alicia on the MIT-based image, what I'm seeing is;

root at alicia:~# kinit -V \
-X X509_user_identity=FILE:/assets/pkinit-client-alicia.pem alicia
Using default cache: /tmp/krb5cc_0
Using principal: alicia at HCPHACKING.XYZ
PA Option X509_user_identity = FILE:/assets/pkinit-client-alicia.pem
kinit: Client 'alicia at HCPHACKING.XYZ' not found in Kerberos database 
while getting initial credentials

Whereas if I start the alicia container using the Heimdal-based image, 
it gets a TGT just fine;

root at alicia:~# kinit \
-C FILE:/assets/pkinit-client-alicia.pem alicia
root at alicia:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
         Principal: alicia at HCPHACKING.XYZ

   Issued                Expires               Principal
Apr 17 21:42:32 2026  Apr 17 21:47:32 2026 
krbtgt/HCPHACKING.XYZ at HCPHACKING.XYZ

Notes that might be relevant;
* I confirmed the MIT-based image has pkinit support built/installed
* These both use the same krb5.conf, with the same [realms] config;
   * the 'kdc' attribute points to the correct KDC
   * 'pkinit_anchors' points to the CA file (that signed the KDC cert)
* The (Heimdal-based) KDC is configured to use synthetic principals, so 
indeed there is no "alicia" principal in the Kerberos database, the KDC 
is configured to issue a TGT for whichever client principal is in the 
client cert, whether or not that principal is in its database. This 
doesn't pose a problem with the Heimdal kinit, so I don't know why it 
would be an issue with the MIT one. (I.e. whether the principal is or 
isn't in the database is a KDC-side consideration, so why is this error 
message showing up on the client-side?)
* If I run the "kinit" command without the "-X" argument providing the 
certificate, I see exactly the same error.

Any ideas? If there's a way to increase the debugging (or even 
instrument the mit code directly), I'm happy to try out any suggestions. 
BTW, the HCP build can generate the MIT-based image using either 
standard debian packages or compiling and installing from source, and I 
have tried both. If anyone wants me to patch the mit-krb5 source to try 
out any ideas, I'm currently compiling and installing from the master 
branch of the github.com/krb5/krb5 repo.

(Also BTW, I haven't yet pushed my MIT-supporting HCP changes, so if you 
are courageous enough to want to try any of this yourself, please ping 
me first.)

TIA

Cheers,
Geoff

More information about the krbdev mailing list