trouble with pkinit
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Apr 17 18:14:39 EDT 2026
>* The (Heimdal-based) KDC is configured to use synthetic principals, so
>indeed there is no "alicia" principal in the Kerberos database, the KDC
>is configured to issue a TGT for whichever client principal is in the
>client cert, whether or not that principal is in its database. This
>doesn't pose a problem with the Heimdal kinit, so I don't know why it
>would be an issue with the MIT one. (I.e. whether the principal is or
>isn't in the database is a KDC-side consideration, so why is this error
>message showing up on the client-side?)
This is 100% the problem. In MIT Kerberos you need to create that
principal (and as I understand it, there would have to be some
significant rearchitecturing to support the concept of synthetic
principals as you've described them). The error is showing up
client-side because the KDC is returning that error to the client
(wouldn't you want it to?)
--Ken
More information about the krbdev
mailing list