trouble with pkinit

[Nico Williams]

I'm assuming the KDC is Heimdal in both cases.  You can check my theory
very easily by creating the client principal in the KDC: if that works
then I'm right that MIT is looking before jumping.

Looking before jumping _is_ correct behavior, really, so I need to fix
this in Heimdal by having unknown client principals be synthesized for
the purposes of producing the KRB-ERROR MD/TD/PA that the client needs,
showing only PKINIT as an option (well, and Luke's GSS pre-auth option,
if enabled).  But please confirm first.

Nico
--