[20564] in Kerberos_V5_Development
Re: trouble with pkinit
daemon@ATHENA.MIT.EDU (Geoffrey Thorpe)
Fri Apr 17 23:42:53 2026
Message-ID: <7b0494cd-128b-4222-bb85-667e19f81521@geoffthorpe.net>
Date: Fri, 17 Apr 2026 23:42:37 -0400
MIME-Version: 1.0
To: krbdev@mit.edu
Cc: Nico Williams <nico@cryptonector.com>,
Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Language: en-US
From: Geoffrey Thorpe <geoff@geoffthorpe.net>
In-Reply-To: <aeLBPIoPYKRXBtTZ@ubby>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: krbdev-bounces@mit.edu
Ken, Nico, thanks to both of you for following up.
On 4/17/26 7:24 PM, Nico Williams wrote:
> I'm assuming the KDC is Heimdal in both cases. You can check my theory
> very easily by creating the client principal in the KDC: if that works
> then I'm right that MIT is looking before jumping.
That seems to be the case. If I add the principal explicitly to the KDC
db, the pkinit completes fine with MIT's kinit. Without that, only the
Heimdal kinit is able to pull a TGT for the (synthetic) principal.
The KDC log didn't show anything but that's probably my automation not
configuring the logging properly. I'll take another look next week.
> Looking before jumping _is_ correct behavior, really, so I need to fix
> this in Heimdal by having unknown client principals be synthesized for
> the purposes of producing the KRB-ERROR MD/TD/PA that the client needs,
> showing only PKINIT as an option (well, and Luke's GSS pre-auth option,
> if enabled). But please confirm first.
Confirmed. BTW, if you want me to test a Heimdal KDC patch, this is easy
to repeat. (I'm still based on the "nico/synthetic-princs-in-hdb" branch
in Heimdal, which you might want to merge to master at some point.)
Cheers,
Geoff
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
