The extensions.client file in pkinit.rst creates a single-principal SAN, even if the CLIENT environment variable is set to a value containing slashes. If the resulting certificate is used with a multi-component client principal, the KDC will deny the request with a client mismatch error (without enough detail in the logs; see #7938). The documentation should explain this and should explain how to modify extensions.client to create multi-component principal SANs.