[20561] in Kerberos_V5_Development
Re: trouble with pkinit
daemon@ATHENA.MIT.EDU (Nico Williams)
Fri Apr 17 18:58:06 2026
Date: Fri, 17 Apr 2026 17:57:53 -0500
From: Nico Williams <nico@cryptonector.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Message-ID: <aeK68Z4E3JdNKI2K@ubby>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <202604172221.63HMLrN6021948@hedwig.cmf.nrl.navy.mil>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Fri, Apr 17, 2026 at 06:21:53PM -0400, Ken Hornstein via krbdev wrote:
> >Any ideas? If there's a way to increase the debugging (or even
> >instrument the mit code directly), I'm happy to try out any suggestions.
>
> Oh, I realized I should have answered this part as well:
>
> - The KDC logs are helpful as well (but they would have told you the
> exact same thing).
>
> - If you set the KRB5_TRACE environment variable, a lot of debugging output
> will be generated. You want that to be set to the name of an output
> file; you can use /dev/stdout on most operating systems to get it
> printed directly to the terminal. However, in this case it
> would have also told you the same thing, just more verbosely. E.g.:
Yes, this. I bet this is going to show MIT kinit doing a look-before-
jumping AS-REQ w/o pre-auth, but then the Heimdal KDC will not
synthesize the client principal since there will be no evidence that it
might exist.
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
