[20563] in Kerberos_V5_Development
Re: trouble with pkinit
daemon@ATHENA.MIT.EDU (Nico Williams)
Fri Apr 17 19:24:54 2026
Date: Fri, 17 Apr 2026 18:24:44 -0500
From: Nico Williams <nico@cryptonector.com>
To: Geoffrey Thorpe <geoff@geoffthorpe.net>
Cc: krbdev@mit.edu
Message-ID: <aeLBPIoPYKRXBtTZ@ubby>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <aeK6jA+/fCa86CPJ@ubby>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
I'm assuming the KDC is Heimdal in both cases. You can check my theory
very easily by creating the client principal in the KDC: if that works
then I'm right that MIT is looking before jumping.
Looking before jumping _is_ correct behavior, really, so I need to fix
this in Heimdal by having unknown client principals be synthesized for
the purposes of producing the KRB-ERROR MD/TD/PA that the client needs,
showing only PKINIT as an option (well, and Luke's GSS pre-auth option,
if enabled). But please confirm first.
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
