unable to decode stored principal key data (ASN.1 encoding ended unexpectedly)

Mathew Rowley mathew_rowley at cable.comcast.com
Fri Jan 9 16:43:47 EST 2009 

I have an MIT kerberos running with an OpenLDAP backend.  There was a power
outage last weekend, and today have noticed that I cannot kinit.  The error
I am receiving is:

[root at krb01 openldap]# kinit mrowley
kinit(v5): Generic error (see e-text) while getting initial credentials

krb5kdc.log:
Jan 09 16:38:43 krb01.security.lab.comcast.com krb5kdc[15758](info): AS_REQ
(12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.252.152.73:
LOOKING_UP_CLIENT: mrowley at KRB.COMCAST.COM for
krbtgt/KRB.COMCAST.COM at KRB.COMCAST.COM, unable to decode stored principal
key data (ASN.1 encoding ended unexpectedly)

This is when trying to kinit on the kerberos server.  This error occurs with
any principal. The LDAP backend is working correctly, but can not be sure if
any of the kerberos data has been corrupt.

Has anyone seen this before, or have a way of fixing?  If the error is in
the ldap backend, I cannot simple slapcat the data out, then re-import
because the corrupt data will still be there.  The only thing I can think of
is that the error is in one of the keytab files.  Thanks for any help.

When kinit, this is strace output of the server:
Process 15758 attached - interrupt to quit
select(22, [10 11 12 13 14 15 16 17 18 19 20 21], [], [], NULL) = 1 (in
[13])
recvfrom(13, 
"j\201\3010\201\276\241\3\2\1\5\242\3\2\1\n\244\201\2610\201\256\240\7\3\5\0
\0\0\0\20\241"..., 4096, 0, {sa_family=AF_INET, sin_port=htons(32810),
sin_addr=inet_addr("10.252.152.73")}, [16]) = 196
time(NULL)                              = 1231522663
time(NULL)                              = 1231522663
gettimeofday({1231522663, 432784}, NULL) = 0
time(NULL)                              = 1231522663
write(8, "0\202\0022\2\1\5c\202\2+\4\33o=comcast,dc=comcas"..., 566) = 566
time(NULL)                              = 1231522663
poll([{fd=8, events=POLLIN|POLLPRI|POLLERR|POLLHUP, revents=POLLIN}], 1,
300000) = 1
read(8, "0\202\1\225\2\1\5d", 8)        = 8
read(8, "\202\1\216\4gkrbPrincipalName=mrowley at IP"..., 401) = 401
time(NULL)                              = 1231522663
poll([{fd=8, events=POLLIN|POLLPRI|POLLERR|POLLHUP, revents=POLLIN}], 1,
300000) = 1
read(8, "0\f\2\1\5e\7\n", 8)            = 8
read(8, "\1\0\4\0\4\0", 6)              = 6
time(NULL)                              = 1231522663
time(NULL)                              = 1231522663
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0
write(3, "Jan 09 12:37:43 ipa01.security.l"..., 304) = 304
gettimeofday({1231522663, 435842}, NULL) = 0
time(NULL)                              = 1231522663
time(NULL)                              = 1231522663
sendto(13, 
"~\201\2670\201\264\240\3\2\1\5\241\3\2\1\36\242\21\30\017200901091737"...,
186, 0, {sa_family=AF_INET, sin_port=htons(32810),
sin_addr=inet_addr("10.252.152.73")}, 16) = 186
gettimeofday({1231522663, 436423}, NULL) = 0
select(22, [10 11 12 13 14 15 16 17 18 19 20 21], [], [], NULL


-- 
MAT

More information about the Kerberos mailing list