[20560] in Kerberos_V5_Development
Re: trouble with pkinit
daemon@ATHENA.MIT.EDU (Nico Williams)
Fri Apr 17 18:56:28 2026
Date: Fri, 17 Apr 2026 17:56:12 -0500
From: Nico Williams <nico@cryptonector.com>
To: Geoffrey Thorpe <geoff@geoffthorpe.net>
Cc: krbdev@mit.edu
Message-ID: <aeK6jA+/fCa86CPJ@ubby>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <b6fbcc5a-f48a-4b34-b31c-dbdf27d93c94@geoffthorpe.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Fri, Apr 17, 2026 at 06:05:20PM -0400, Geoffrey Thorpe wrote:
Ok, so Heimdal client to Heimdal KDC works, but MIT client to Heimdal
KDC gets:
> root@alicia:~# kinit -V \
> -X X509_user_identity=FILE:/assets/pkinit-client-alicia.pem alicia
> Using default cache: /tmp/krb5cc_0
> Using principal: alicia@HCPHACKING.XYZ
> PA Option X509_user_identity = FILE:/assets/pkinit-client-alicia.pem
> kinit: Client 'alicia@HCPHACKING.XYZ' not found in Kerberos database while
> getting initial credentials
What does the KDC say in its log files?
> * The (Heimdal-based) KDC is configured to use synthetic principals, so
> indeed there is no "alicia" principal in the Kerberos database, the KDC is
> configured to issue a TGT for whichever client principal is in the client
> cert, whether or not that principal is in its database. This doesn't pose a
> problem with the Heimdal kinit, so I don't know why it would be an issue
> with the MIT one. (I.e. whether the principal is or isn't in the database is
> a KDC-side consideration, so why is this error message showing up on the
> client-side?)
Oh! I wonder if the MIT client is trying an AS-REQ w/o pre-auth first
to discover if PKINIT is supported for alicia@HCPHACKING.XYZ -- if so
that would prevent this working. Maybe it's trying to discover DH
algorithms and parameters and what not? It would be better for MIT
Kerberos' kinit to optimistically pick a suitable set of algorithms and
parameters and jump rather than look-before-jumping.
I could work around this in the Heimdal KDC by returning only PKINIT
pre-auth metadata to an AS client that tries to get a ticket for a
non-existent principal w/o pre-auth data.
I should add a test of interop with MIT for this specific case.
> * If I run the "kinit" command without the "-X" argument providing the
> certificate, I see exactly the same error.
That would be expected.
> Any ideas? [...]
See above.
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
