On Wed, 2009-03-04 at 12:16 -0500, Kevin Coffman wrote: > On Wed, Mar 4, 2009 at 10:24 AM, Loren M. Lang <[email protected]> wrote: > > On Wed, 2009-03-04 at 06:33 -0800, Loren M. Lang wrote: > >> > > >> > > This symlinks point to missing certificates that have nothing to do > >> > > with > >> > > the pki infrastructure I am using, but once I moved the symlinks out of > >> > > the way, kinit continued and finally sent out an AS-REQ with the > >> > > PK-INIT > >> > > preauth data, but received no response. According to Wireshark, > >> > > following the initial AS-REQ with no preauth, the server responds with > >> > > a > >> > > NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ > >> > > and PA-PK-AS-REP. The client then sends a single IP fragment response. > >> > > The fragment has a payload of 1480 bytes with flag more fragments, but > >> > > no further fragments are sent. I have no firewall rules installed and > >> > > am at a loss as to why there are no more fragments. > >> > > >> > I'm not sure what might be happening here. This would just be a > >> > work-around, but is it possible for you to try using TCP rather than > >> > UDP? > >> > >> I enabled TCP support on my KDCs and netstat confirms they are listening > >> on them. I tried setting udp_preference_limit to 1480, 1000, and 50, > >> but kinit never uses TCP. I put udp_preference_limit both at the very > >> beginning and very end of my libdefaults section in krb5.conf and even > >> tried using copy/paste to double check that I typed it correctly. > > > > Never mind, I only had UDP SRV records published, now it's using TCP. > > The error I am getting now is KRB5KRB_ERR_GENERIC with e-data: > > KDC_RETURN_PADATA. The kdc log shows this relevant error: > > > > Mar 04 07:04:13 server krb5kdc[18148](info): AS_REQ (7 etypes {18 17 16 > > 23 1 3 2}) 192.168.1.237: KDC_RETURN_PADATA: [email protected] for > > krbtgt/[email protected], Cannot allocate memory > > > > There is no memory crunch on the server. > > After a quick glance at the code, I don't see where ENOMEM is returned > in cases where it wasn't an allocation error. If you have output from > -DDEBUG, that might give us a clue of the problem.
After running the server with -DDEBUG, the answer became clear, it could not find the intermediate certificates either. I setup pkinit_pool and now I can log in with my smartcard. The error message that was producing in the log files was out of memory, but the debug output did mention that it could not find a local issuer. The pkinit_identity file I am using I produced similar to the certificates I use for other services such as Apache and Sendmail. It contains the end-server certificate followed by intermediates with the root CA certificate at the bottom. I have found that the easiest way to deal with intermediates, but I guess KDC only looks at the first certificate. > > K.C. > -- Loren M. Lang [email protected] http://www.alzatex.com/ Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: 10A0 7AE2 DAF5 4780 888A 3FA4 DCEE BB39 7654 DE5B
smime.p7s
Description: S/MIME cryptographic signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
