[20558] in Kerberos_V5_Development
trouble with pkinit
daemon@ATHENA.MIT.EDU (Geoffrey Thorpe)
Fri Apr 17 18:05:36 2026
Message-ID: <b6fbcc5a-f48a-4b34-b31c-dbdf27d93c94@geoffthorpe.net>
Date: Fri, 17 Apr 2026 18:05:20 -0400
MIME-Version: 1.0
Content-Language: en-US
To: krbdev@mit.edu
From: Geoffrey Thorpe <geoff@geoffthorpe.net>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: krbdev-bounces@mit.edu
Hi all
I previously posted about my "HCP" interest in MIT kerberos (porting it
over from Heimdal) on the kerberos@mit.edu mail list;
https://mailman.mit.edu/pipermail/kerberos/2026-March/023321.html
I've made a little progress since then. Not much, but a little. I've
managed to teach it to build two variants of the base image, the
existing one (which is Heimdal-based) plus a new alternative, which has
MIT kerberos (and rra/kstart!) and none of the Heimdal stuff. And from
there, the first baby-step is try to get the "alicia" workload of the
test use-case to run on the MIT variant. (I.e. to leave all the
infrastructural elements, KDCs and what-not, running on the
Heimdal-based image, and just move one of the test clients over to MIT.)
The "alicia" workload uses kinit (with a pkinit client cert that is
provisioned by the HCP machinery) to get a TGT and then tries to use
that to connect to another workload over ssh (using GSS). When running
alicia on the MIT-based image, what I'm seeing is;
root@alicia:~# kinit -V \
-X X509_user_identity=FILE:/assets/pkinit-client-alicia.pem alicia
Using default cache: /tmp/krb5cc_0
Using principal: alicia@HCPHACKING.XYZ
PA Option X509_user_identity = FILE:/assets/pkinit-client-alicia.pem
kinit: Client 'alicia@HCPHACKING.XYZ' not found in Kerberos database
while getting initial credentials
Whereas if I start the alicia container using the Heimdal-based image,
it gets a TGT just fine;
root@alicia:~# kinit \
-C FILE:/assets/pkinit-client-alicia.pem alicia
root@alicia:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: alicia@HCPHACKING.XYZ
Issued Expires Principal
Apr 17 21:42:32 2026 Apr 17 21:47:32 2026
krbtgt/HCPHACKING.XYZ@HCPHACKING.XYZ
Notes that might be relevant;
* I confirmed the MIT-based image has pkinit support built/installed
* These both use the same krb5.conf, with the same [realms] config;
* the 'kdc' attribute points to the correct KDC
* 'pkinit_anchors' points to the CA file (that signed the KDC cert)
* The (Heimdal-based) KDC is configured to use synthetic principals, so
indeed there is no "alicia" principal in the Kerberos database, the KDC
is configured to issue a TGT for whichever client principal is in the
client cert, whether or not that principal is in its database. This
doesn't pose a problem with the Heimdal kinit, so I don't know why it
would be an issue with the MIT one. (I.e. whether the principal is or
isn't in the database is a KDC-side consideration, so why is this error
message showing up on the client-side?)
* If I run the "kinit" command without the "-X" argument providing the
certificate, I see exactly the same error.
Any ideas? If there's a way to increase the debugging (or even
instrument the mit code directly), I'm happy to try out any suggestions.
BTW, the HCP build can generate the MIT-based image using either
standard debian packages or compiling and installing from source, and I
have tried both. If anyone wants me to patch the mit-krb5 source to try
out any ideas, I'm currently compiling and installing from the master
branch of the github.com/krb5/krb5 repo.
(Also BTW, I haven't yet pushed my MIT-supporting HCP changes, so if you
are courageous enough to want to try any of this yourself, please ping
me first.)
TIA
Cheers,
Geoff
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
