Progress! Thanks, Love and Doug! I get output from according to the p11 logs for the signature. That's great!
$ kinit -C PKCS11:/usr/lib/pkcs11-spy.so
PIN code for ActivCard USB Reader 2.0 (60102D27) 00 00:
( Wrap Unwrap )
( Encrypt Decrypt Sign SigRecov Verify VerRecov Generate KeyPair Wrap Unwrap )
kinit: krb5_get_init_creds: Unknown error 569894
So that's a big hurdle gotten past. I need to see where I'm hanging up on now, but I ran a quick packet capture and packets are getting sent the the domain controller.
that error is HX509_CMS_NO_RECIPIENT_CERTIFICATE and it means that the
CMS lib doesn't find the certificate that made the signature/encryption. I assume
DH is used, so that would be signature then.
I need to add more debug message to figure out, but inf you can run gdb on kinit
and try to figure out why find_CMSIdentifier() doesn't find the certificate (if its even passed
back from the KDC).