trouble with pkinit
Nico Williams
nico at cryptonector.com
Fri Apr 17 18:57:53 EDT 2026
On Fri, Apr 17, 2026 at 06:21:53PM -0400, Ken Hornstein via krbdev wrote:
> >Any ideas? If there's a way to increase the debugging (or even
> >instrument the mit code directly), I'm happy to try out any suggestions.
>
> Oh, I realized I should have answered this part as well:
>
> - The KDC logs are helpful as well (but they would have told you the
> exact same thing).
>
> - If you set the KRB5_TRACE environment variable, a lot of debugging output
> will be generated. You want that to be set to the name of an output
> file; you can use /dev/stdout on most operating systems to get it
> printed directly to the terminal. However, in this case it
> would have also told you the same thing, just more verbosely. E.g.:
Yes, this. I bet this is going to show MIT kinit doing a look-before-
jumping AS-REQ w/o pre-auth, but then the Heimdal KDC will not
synthesize the client principal since there will be no evidence that it
might exist.
Nico
--
More information about the krbdev
mailing list