Using Smartcard with PK-INIT does not respond

Loren M. Lang lorenl at alzatex.com
Wed Mar 4 19:23:22 EST 2009


On Wed, 2009-03-04 at 12:11 -0600, John Hascall wrote:
> 
> > > Mar 04 07:04:13 server krb5kdc[18148](info): AS_REQ (7 etypes {18 17 16
> > > 23 1 3 2}) 192.168.1.237: KDC_RETURN_PADATA: user at EXAMPLE.COM for
> > > krbtgt/EXAMPLE.COM at EXAMPLE.COM, Cannot allocate memory
> 
> > > There is no memory crunch on the server.
> 
> > After a quick glance at the code, I don't see where ENOMEM is returned
> > in cases where it wasn't an allocation error.  If you have output from
> > -DDEBUG, that might give us a clue of the problem.
> 
> Typically I find this happens where something has previously gone 
> amiss and "malloc" gets passed some absurd number.

The server and client are two different machines.  I only modified the
client machine's pkinit.so and, yes, I did rename the old pkinit.so to
pkinit2.so in the same directory.  Moving the original pkinit.so
completely out of lib as Douglas suggested did not fix it.  I ran strace
-okdc.trace krb5kdc -n on the server.  Looking through the trace logs
from the accept() of the preauth connection to write() I see nothing
suspicious and no ENOMEM errors.  I see a bunch of read()s of my AS-REQ,
various access to principal* and a read() from /dev/urandom.  Nothing
between accept() and the write() of the error message even returns a
negative number.

> 
> John
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
-- 
Loren M. Lang
lorenl at alzatex.com
http://www.alzatex.com/


Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7539 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090304/905dd246/attachment.bin


More information about the Kerberos mailing list