On Monday, January 12, 2004 11:55:44 -0500 Ed Ravin <[EMAIL PROTECTED]> wrote:
My shop uses the MIT KDC and NetBSD 1.5 (Heimdal) clients. Everything has been working until this (Monday) morning, when all of a sudden kinit doesn't work anymore, and the KDC is logging these messages:
krb5kdc: ASN.1 failed call to system time library - while dispatching krb5kdc: ASN.1 failed call to system time library - while dispatching krb5kdc: ASN.1 failed call to system time library - while dispatching krb5kdc: ASN.1 failed call to system time library - while dispatching krb5kdc: Invalid message type - while dispatching krb5kdc: Invalid message type - while dispatching krb5kdc: Invalid message type - while dispatching
After doing a bit of Googling on the "ASN.1 failed call" message, it turns out that this is associated with incorrectly formatted time information:
Ken Raeburn <[EMAIL PROTECTED]> writes:
> How odd. That indicates an error reported by our gmt_mktime routine, > applied to the parsed ASN.1 time encoding sent by some client. If the > client in question is using the MIT code, we'd certainly like to know > about it. :-)
Another person reports getting this error when the client computer had its date set way wrong. But that's not the problem with our systems - the time is properly synchronized, and this suddenly began failing today (or perhaps over the weekend, we weren't there to check).
Rebooting the client computer didn't help. Switching to MIT's kinit fixed the problem, though. Also, I tested on a NetBSD 1.6 host and that kinit seemed OK.
Any thoughts as to what might have been going on?
Are you by any chance running kinit --renewable? There is a known bug in heimdal which will cause that invocation to issue an invalid request to the KDC after 13:37:03 UTC this past Saturday, when UNIX time rolled over to 0x40000000.
If this is the problem, you should be able to get it to work by dropping the --renewable, or adding --renewable-life=30d
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
