krb5kdc: ASN.1 failed call to system time library - while dispatching

Jeffrey Hutzelman jhutz at cmu.edu
Mon Jan 12 17:54:49 EST 2004 


On Monday, January 12, 2004 11:55:44 -0500 Ed Ravin <eravin at panix.com> 
wrote:

> My shop uses the MIT KDC and NetBSD 1.5 (Heimdal) clients.  Everything
> has been working until this (Monday) morning, when all of a sudden
> kinit doesn't work anymore, and the KDC is logging these messages:
>
>   krb5kdc: ASN.1 failed call to system time library - while dispatching
>   krb5kdc: ASN.1 failed call to system time library - while dispatching
>   krb5kdc: ASN.1 failed call to system time library - while dispatching
>   krb5kdc: ASN.1 failed call to system time library - while dispatching
>   krb5kdc: Invalid message type - while dispatching
>   krb5kdc: Invalid message type - while dispatching
>   krb5kdc: Invalid message type - while dispatching
>
> After doing a bit of Googling on the "ASN.1 failed call" message, it turns
> out that this is associated with incorrectly formatted time information:
>
>> Ken Raeburn <raeburn at mit.edu> writes:
>>
>> > How odd.  That indicates an error reported by our gmt_mktime routine,
>> > applied to the parsed ASN.1 time encoding sent by some client.  If the
>> > client in question is using the MIT code, we'd certainly like to know
>> > about it. :-)
>
> Another person reports getting this error when the client computer had its
> date set way wrong.  But that's not the problem with our systems - the
> time is properly synchronized, and this suddenly began failing today
> (or perhaps over the weekend, we weren't there to check).
>
> Rebooting the client computer didn't help.  Switching to MIT's kinit fixed
> the problem, though.  Also, I tested on a NetBSD 1.6 host and that kinit
> seemed OK.
>
> Any thoughts as to what might have been going on?

Are you by any chance running kinit --renewable?  There is a known bug in 
heimdal which will cause that invocation to issue an invalid request to the 
KDC after 13:37:03 UTC this past Saturday, when UNIX time rolled over to 
0x40000000.

If this is the problem, you should be able to get it to work by dropping 
the --renewable, or adding --renewable-life=30d

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

More information about the Kerberos mailing list