[20565] in Kerberos_V5_Development
Re: trouble with pkinit
daemon@ATHENA.MIT.EDU (Alexander Bokovoy via krbdev)
Sat Apr 18 01:45:36 2026
Date: Sat, 18 Apr 2026 08:45:19 +0300
To: Geoffrey Thorpe <geoff@geoffthorpe.net>
Cc: krbdev@mit.edu, Nico Williams <nico@cryptonector.com>,
Ken Hornstein <kenh@cmf.nrl.navy.mil>
Message-ID: <aeMab2We2Hiyp2sh@redhat.com>
MIME-Version: 1.0
In-Reply-To: <7b0494cd-128b-4222-bb85-667e19f81521@geoffthorpe.net>
Content-Disposition: inline
From: Alexander Bokovoy via krbdev <krbdev@mit.edu>
Reply-To: Alexander Bokovoy <abokovoy@redhat.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Пят, 17 кра 2026, Geoffrey Thorpe wrote:
>Ken, Nico, thanks to both of you for following up.
>
>On 4/17/26 7:24 PM, Nico Williams wrote:
>>I'm assuming the KDC is Heimdal in both cases. You can check my theory
>>very easily by creating the client principal in the KDC: if that works
>>then I'm right that MIT is looking before jumping.
>
>That seems to be the case. If I add the principal explicitly to the
>KDC db, the pkinit completes fine with MIT's kinit. Without that, only
>the Heimdal kinit is able to pull a TGT for the (synthetic) principal.
>
>The KDC log didn't show anything but that's probably my automation not
>configuring the logging properly. I'll take another look next week.
>
>>Looking before jumping _is_ correct behavior, really, so I need to fix
>>this in Heimdal by having unknown client principals be synthesized for
>>the purposes of producing the KRB-ERROR MD/TD/PA that the client needs,
>>showing only PKINIT as an option (well, and Luke's GSS pre-auth option,
>>if enabled). But please confirm first.
>
>Confirmed. BTW, if you want me to test a Heimdal KDC patch, this is
>easy to repeat. (I'm still based on the "nico/synthetic-princs-in-hdb"
>branch in Heimdal, which you might want to merge to master at some
>point.)
We are doing somewhat similar with localkdc where user principals do not
exist in the KDC database but our KDB driver looks them up through
external sources (userdb interface systemd provides on top of NSS). You
still need to resolve get_principal() request by the KDC to answer the
questions which pre-auth mechanisms could be enabled for this principal.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
