KDC not sending A Reply to AS Request

Ken Raeburn raeburn at MIT.EDU
Thu May 22 11:57:35 EDT 2008 

On May 21, 2008, at 08:26, Chaitra Shankar wrote:
>    In our project we are using MIT kerberos KDC server and small
> variations are done to the code of the clients directory to suit our
> project requirements. As per the requirements we are supposed to use
> PKINIT. How to configure the KDC server to accept PKINIT Request?
> Also the KDC is not reponding to the AS Request sent to it. The  
> Request
> is conformant to the specifications of Kerberos.
> The log files show an entry which is ,as follows:
> krb5kdc:ASN.1 structure is missing a required field - while  
> despatching(udp)
> Please help us. We are not able to figure out where the problem  
> might be
> occuring.

The ASN.1 code is one of the ugliest bits of our code, IMO, and there  
is no good way to debug it.

A not-so-good way might be to intercept all the places where that  
error code can be generated, attach the KDC process under a debugger,  
and set a breakpoint at the intercept point.  If you're already making  
code modifications, I expect this won't be too difficult.

For example, in src/lib/krb5/asn.1, in the files asn1_k_decode.c,  
asn1buf.c, and krb5_decode.c, after the inclusion of the headers and  
before the function definitions, add something like this (untested)  
code:

   static krb5_error_code asn1_missing_field = ASN1_MISSING_FIELD;
   static krb5_error_code report_missing_field(int lineno) {
     fprintf(stderr, "missing field at %s line %d", __FILE__, lineno);
     abort();
     return asn1_missing_field; /* not actually reached */
   }
   #undef ASN1_MISSING_FIELD
   #define ASN1_MISSING_FIELD (report_missing_field())

Compile, start it up under gdb, with "-n" to keep it in foreground  
with stderr attached to the terminal, set a breakpoint in "abort", and  
trigger the problem again.  The stack trace will show you what lines  
in what decoding routines caused this error, and in each routine, the  
source code would indicate what field is being decoded.

(If you leave out the abort call, make the function external, and  
declare it instead of defining it in all but one source file, and  
compile it either without optimization or with function inline  
expansion disabled, you can set a breakpoint in the function itself,  
and still have a KDC that should function normally when you're not  
actually debugging the problem -- it'll print the message and continue  
on.)

Ken

More information about the Kerberos mailing list