What were you trying to do that didn't work?

I am trying to login to a RHEL system using a smart card mapped to a Microsoft Active Directory account. The system is joined to a Red hat IdM domain with a cross-forest trust to Active Directory.

Please provide the package NVR for which bug is seen:

krb5-workstation-1.18.2-26.el8_9.x86_64
krb5-devel-1.18.2-26.el8_9.x86_64
krb5-libs-1.18.2-26.el8_9.x86_64
krb5-pkinit-1.18.2-26.el8_9.x86_64
sssd-krb5-common-2.9.1-4.el8_9.5.x86_64
sssd-krb5-2.9.1-4.el8_9.5.x86_64
sssd-ad-2.9.1-4.el8_9.5.x86_64

ipa-client-4.9.12-9
sssd-ipa-2.9.1-4

How reproducible:

Every login

Steps to reproduce

1. Install Red Hat Identity Management (IdM) with external CA (ipa.corp.lab.local)
2. Enable PKINIT in IdM
3. Configure IdM one-way trust with Active Directory (corp.lab.local)
4. Set altSecurityIdentities attribute in Active Directory test user account (for smart card mapping)
5. Configure PAM for smart card logon (require_cert_auth)
6. Insert smart card on IdM server and attempt login (testuser@corp.lab.local).
7. Login using smart card fails.

Expected results

Login using smart card should work.

Actual results

If I use the ipa-client-install /etc/krb5.conf, I am unable to login with a smart card. If I modify the krb5.conf to manually add the Microsoft Active Directory realm, it works. It seems like there are two errors "Failed to verify own certificate (depth 0)" (caused by missing pkinit_anchors for "corp.lab.local") and "KDC name mismatch" (caused by missing pkinit_kdc_hostname for "corp.lab.local").