trouble with pkinit
Geoffrey Thorpe
geoff at geoffthorpe.net
Fri Apr 17 23:42:37 EDT 2026
Ken, Nico, thanks to both of you for following up.
On 4/17/26 7:24 PM, Nico Williams wrote:
> I'm assuming the KDC is Heimdal in both cases. You can check my theory
> very easily by creating the client principal in the KDC: if that works
> then I'm right that MIT is looking before jumping.
That seems to be the case. If I add the principal explicitly to the KDC
db, the pkinit completes fine with MIT's kinit. Without that, only the
Heimdal kinit is able to pull a TGT for the (synthetic) principal.
The KDC log didn't show anything but that's probably my automation not
configuring the logging properly. I'll take another look next week.
> Looking before jumping _is_ correct behavior, really, so I need to fix
> this in Heimdal by having unknown client principals be synthesized for
> the purposes of producing the KRB-ERROR MD/TD/PA that the client needs,
> showing only PKINIT as an option (well, and Luke's GSS pre-auth option,
> if enabled). But please confirm first.
Confirmed. BTW, if you want me to test a Heimdal KDC patch, this is easy
to repeat. (I'm still based on the "nico/synthetic-princs-in-hdb" branch
in Heimdal, which you might want to merge to master at some point.)
Cheers,
Geoff
More information about the krbdev
mailing list