CAC authentication to @mil via subordinate domain w/ heimdal

[Thomas Harning Jr <thomas.harning@trustbearer.com>]

We are working with a customer to develop a solution to use smart-card
authentication to Active Directory using Common Access Cards and
Heimdal's PKINIT capabilities.

We've run into a few problems...

Namely:
@mil in UPN needs to be mapped to a FQDN.
Attempted fix: On the command line use --canonicalize to allow passing
the given UPN to the test domain controller.
Result: Authentication attempted, but results in an error: "Inconsistent
key purpose"
   This error seems to be generated server-side, as I cannot find any
generation of this error code in the Heimdal code base.

Another issue would be 'trust', I assume.  So a mapping like so was
added to the configuration file:
[capaths]
    TESTDOMAIN.LOCAL = {
       MIL = .
    }

Is this correct...  I presume this means that Heimdal can authenticate
to MIL through TESTDOMAIN.LOCAL

Has anybody else dealt with this authentication scenario and figured out
the proper configuration?

Environment:
    Linux box w/ Heimdal 1.0
    Windows 2003 Domain Controller (TESTDOMAIN.LOCAL) w/ access to
ID@mil mappings