[20568] in Kerberos_V5_Development
Re: trouble with pkinit
daemon@ATHENA.MIT.EDU (Alexander Bokovoy via krbdev)
Sat Apr 18 04:25:31 2026
Date: Sat, 18 Apr 2026 11:25:06 +0300
To: Nico Williams <nico@cryptonector.com>
Message-ID: <aeM/4rokY4x3ulcz@redhat.com>
MIME-Version: 1.0
In-Reply-To: <aeMmMnZ/oMMFKU0q@ubby>
Content-Disposition: inline
From: Alexander Bokovoy via krbdev <krbdev@mit.edu>
Reply-To: Alexander Bokovoy <abokovoy@redhat.com>
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, krbdev@mit.edu
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Суб, 18 кра 2026, Nico Williams wrote:
>On Sat, Apr 18, 2026 at 08:45:19AM +0300, Alexander Bokovoy wrote:
>> We are doing somewhat similar with localkdc where user principals do not
>> exist in the KDC database but our KDB driver looks them up through
>> external sources (userdb interface systemd provides on top of NSS). You
>> still need to resolve get_principal() request by the KDC to answer the
>> questions which pre-auth mechanisms could be enabled for this principal.
>
>The observation in Heimdal's synthetic principals feature is that if
>there is a pre-auth mechanism that can externally identify and
>authenticate the principal, and the principal record does not exist,
>then we can synthesize without further ado. PKINIT can do that.
>Encrypted challenges can't. So if the principal record doesn't exist
>then we can synthesize one that allows PKINIT and not encrypted
>challenges, which is what we do, but we don't do it for the purposes of
>KRB-ERROR generation for pre-auth-less AS-REQs -- _that_ is the bug
>biting Geoffrey.
From MIT KDC point of view there is no difference -- KDC will ask for
get_principal(principal) and will follow the returned KDB entry's
content. It may get an answer 'we have no such principal', a minial entry
for referral purposes, a synthesized one, etc. If entry exists according
to the KDB driver, that's good enough, KDC will continue with the
response. MIT KDC actually always assumes PKINIT is possible for any
non-referral entry, that's why it works even if other pre-auth types
aren't returning anything.
But you have to return a minimal KDB entry first to even trigger that.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
