[20562] in Kerberos_V5_Development
Re: trouble with pkinit
daemon@ATHENA.MIT.EDU (Ken Hornstein via krbdev)
Fri Apr 17 19:15:36 2026
Message-Id: <202604172214.63HMEdsC021911@hedwig.cmf.nrl.navy.mil>
To: Geoffrey Thorpe <geoff@geoffthorpe.net>
cc: krbdev@mit.edu
In-Reply-To: <b6fbcc5a-f48a-4b34-b31c-dbdf27d93c94@geoffthorpe.net>
MIME-Version: 1.0
Date: Fri, 17 Apr 2026 18:14:39 -0400
From: Ken Hornstein via krbdev <krbdev@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>* The (Heimdal-based) KDC is configured to use synthetic principals, so
>indeed there is no "alicia" principal in the Kerberos database, the KDC
>is configured to issue a TGT for whichever client principal is in the
>client cert, whether or not that principal is in its database. This
>doesn't pose a problem with the Heimdal kinit, so I don't know why it
>would be an issue with the MIT one. (I.e. whether the principal is or
>isn't in the database is a KDC-side consideration, so why is this error
>message showing up on the client-side?)
This is 100% the problem. In MIT Kerberos you need to create that
principal (and as I understand it, there would have to be some
significant rearchitecturing to support the concept of synthetic
principals as you've described them). The error is showing up
client-side because the KDC is returning that error to the client
(wouldn't you want it to?)
--Ken
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
