Using Smartcard with PK-INIT does not respond
Loren M. Lang
lorenl at alzatex.com
Wed Mar 4 19:40:12 EST 2009
On Wed, 2009-03-04 at 12:16 -0500, Kevin Coffman wrote:
> On Wed, Mar 4, 2009 at 10:24 AM, Loren M. Lang <lorenl at alzatex.com> wrote:
> > On Wed, 2009-03-04 at 06:33 -0800, Loren M. Lang wrote:
> >> >
> >> > > This symlinks point to missing certificates that have nothing to do with
> >> > > the pki infrastructure I am using, but once I moved the symlinks out of
> >> > > the way, kinit continued and finally sent out an AS-REQ with the PK-INIT
> >> > > preauth data, but received no response. According to Wireshark,
> >> > > following the initial AS-REQ with no preauth, the server responds with a
> >> > > NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ
> >> > > and PA-PK-AS-REP. The client then sends a single IP fragment response.
> >> > > The fragment has a payload of 1480 bytes with flag more fragments, but
> >> > > no further fragments are sent. I have no firewall rules installed and
> >> > > am at a loss as to why there are no more fragments.
> >> >
> >> > I'm not sure what might be happening here. This would just be a
> >> > work-around, but is it possible for you to try using TCP rather than
> >> > UDP?
> >>
> >> I enabled TCP support on my KDCs and netstat confirms they are listening
> >> on them. I tried setting udp_preference_limit to 1480, 1000, and 50,
> >> but kinit never uses TCP. I put udp_preference_limit both at the very
> >> beginning and very end of my libdefaults section in krb5.conf and even
> >> tried using copy/paste to double check that I typed it correctly.
> >
> > Never mind, I only had UDP SRV records published, now it's using TCP.
> > The error I am getting now is KRB5KRB_ERR_GENERIC with e-data:
> > KDC_RETURN_PADATA. The kdc log shows this relevant error:
> >
> > Mar 04 07:04:13 server krb5kdc[18148](info): AS_REQ (7 etypes {18 17 16
> > 23 1 3 2}) 192.168.1.237: KDC_RETURN_PADATA: user at EXAMPLE.COM for
> > krbtgt/EXAMPLE.COM at EXAMPLE.COM, Cannot allocate memory
> >
> > There is no memory crunch on the server.
>
> After a quick glance at the code, I don't see where ENOMEM is returned
> in cases where it wasn't an allocation error. If you have output from
> -DDEBUG, that might give us a clue of the problem.
After running the server with -DDEBUG, the answer became clear, it could
not find the intermediate certificates either. I setup pkinit_pool and
now I can log in with my smartcard. The error message that was
producing in the log files was out of memory, but the debug output did
mention that it could not find a local issuer. The pkinit_identity file
I am using I produced similar to the certificates I use for other
services such as Apache and Sendmail. It contains the end-server
certificate followed by intermediates with the root CA certificate at
the bottom. I have found that the easiest way to deal with
intermediates, but I guess KDC only looks at the first certificate.
>
> K.C.
>
--
Loren M. Lang
lorenl at alzatex.com
http://www.alzatex.com/
Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A 3FA4 DCEE BB39 7654 DE5B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7539 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090304/ce2e22ab/attachment.bin
More information about the Kerberos
mailing list