krb5kdc: ASN.1 failed call to system time library - while dispatching

[Ed Ravin]

My shop uses the MIT KDC and NetBSD 1.5 (Heimdal) clients.  Everything
has been working until this (Monday) morning, when all of a sudden
kinit doesn't work anymore, and the KDC is logging these messages:

  krb5kdc: ASN.1 failed call to system time library - while dispatching
  krb5kdc: ASN.1 failed call to system time library - while dispatching
  krb5kdc: ASN.1 failed call to system time library - while dispatching
  krb5kdc: ASN.1 failed call to system time library - while dispatching
  krb5kdc: Invalid message type - while dispatching
  krb5kdc: Invalid message type - while dispatching
  krb5kdc: Invalid message type - while dispatching

After doing a bit of Googling on the "ASN.1 failed call" message, it turns
out that this is associated with incorrectly formatted time information:

> Ken Raeburn <raeburn at mit.edu> writes:
> 
> > How odd.  That indicates an error reported by our gmt_mktime routine,
> > applied to the parsed ASN.1 time encoding sent by some client.  If the
> > client in question is using the MIT code, we'd certainly like to know
> > about it. :-)

Another person reports getting this error when the client computer had its
date set way wrong.  But that's not the problem with our systems - the
time is properly synchronized, and this suddenly began failing today
(or perhaps over the weekend, we weren't there to check).

Rebooting the client computer didn't help.  Switching to MIT's kinit fixed
the problem, though.  Also, I tested on a NetBSD 1.6 host and that kinit
seemed OK.

Any thoughts as to what might have been going on?
-- 
eravin@    |   Grief can take care of itself; but to get the full
panix.com  |   value of a joy you must have somebody to divide it with.
           |                   -- Mark Twain