krb5 with anonymous kinit, "Cannot allocate memory"

James Croall jcroall at coverity.com
Fri Oct 11 21:38:16 EDT 2013 

Poking around with strace, and running krb5kdc with debug enabled, I see
no smoking gun that there is a lack memory problem.

Searching the kerberos mailing list and other forums I see similar
reports, but no explanation of cause or possible solutions. A bit lost
here. It was working great for a month.

Here's what happens when I run kinit -n:

Oct 12 01:35:39 sso krb5kdc[1786](debug): checking padata
Oct 12 01:35:39 sso krb5kdc[1786](debug): .. pa_type 0x95
Oct 12 01:35:39 sso krb5kdc[1786](debug): client needs preauth, no hw
preauth; request has no preauth, no hw preauth
Oct 12 01:35:39 sso krb5kdc[1786](info): AS_REQ (4 etypes {18 17 16 23})
10.0.0.252: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS at TRIAL.COVERITY.COM for
krbtgt/TRIAL.COVERITY.COM at TRIAL.COVERITY.COM, Additional
pre-authentication required
Oct 12 01:35:39 sso krb5kdc[1786](debug): checking padata
Oct 12 01:35:39 sso krb5kdc[1786](debug): .. pa_type 0x85
Oct 12 01:35:39 sso krb5kdc[1786](debug): .. pa_type 0x10
Oct 12 01:35:39 sso krb5kdc[1786](debug): .. pa_type pkinit
Oct 12 01:35:39 sso krb5kdc[1786](debug): .. .. ok
Oct 12 01:35:39 sso krb5kdc[1786](debug): client needs preauth, no hw
preauth; request has preauth, no hw preauth
Oct 12 01:35:39 sso krb5kdc[1786](debug): original preauth mechanism list:
Oct 12 01:35:39 sso krb5kdc[1786](debug): ... etype-info(11)
Oct 12 01:35:39 sso krb5kdc[1786](debug): ... etype-info2(19)
Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pw-salt(3)
Oct 12 01:35:39 sso krb5kdc[1786](debug): ... encrypted_challenge(138)
Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pkinit(16)
Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pkinit(14)
Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pkinit(15)
Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pkinit(147)
Oct 12 01:35:39 sso krb5kdc[1786](debug): sorted preauth mechanism list:
Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pkinit(16)
Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pkinit(14)
Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pkinit(15)
Oct 12 01:35:39 sso krb5kdc[1786](debug): ... encrypted_challenge(138)
Oct 12 01:35:39 sso krb5kdc[1786](debug): ... etype-info(11)
Oct 12 01:35:39 sso krb5kdc[1786](debug): ... etype-info2(19)
Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pw-salt(3)
Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pkinit(147)
Oct 12 01:35:39 sso krb5kdc[1786](info): AS_REQ (4 etypes {18 17 16 23})
10.0.0.252: KDC_RETURN_PADATA: WELLKNOWN/ANONYMOUS at TRIAL.COVERITY.COM for
krbtgt/TRIAL.COVERITY.COM at TRIAL.COVERITY.COM, Cannot allocate memory


Any suggestions appreciated.

Thanks,

- James



James Croall | Senior Product Manager
Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA
94107 
Office: 415.694.5354 | Mobile: 202.246.6613 | jcroall at coverity.com
The Leader in Development Testing





On 10/11/13 2:57 PM, "James Croall" <jcroall at coverity.com> wrote:

>I should add, this error occurs when running kinit -n.
>
>I can still kinit as a user on an already setup host and get a TGT.
>
>- James
>
>
>
>James Croall | Senior Product Manager
>Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA
>94107 
>Office: 415.694.5354 | Mobile: 202.246.6613 | jcroall at coverity.com
>The Leader in Development Testing
>
>
>
>
>
>On 10/11/13 2:49 PM, "James Croall" <jcroall at coverity.com> wrote:
>
>>Hi All,
>>
>>Thanks again for the help getting anonymous kinit running! We have been
>>running in production for over a month and things are goingŠ well. Until
>>today.
>>
>>This week a new error occurred on the KDC side:
>>
>>Oct 11 21:25:57 sso krb5kdc[10394](info): AS_REQ (4 etypes {18 17 16 23})
>>10.0.1.13: NEEDED_PREAUTH: WELLKNOWN/ANONYMOUS at TRIAL.COVERITY.COM for
>>krbtgt/TRIAL.COVERITY.COM at TRIAL.COVERITY.COM, Additional
>>pre-authentication required
>>Oct 11 21:25:58 sso krb5kdc[10394](info): AS_REQ (4 etypes {18 17 16 23})
>>10.0.1.13: KDC_RETURN_PADATA: WELLKNOWN/ANONYMOUS at TRIAL.COVERITY.COM for
>>krbtgt/TRIAL.COVERITY.COM at TRIAL.COVERITY.COM, Cannot allocate memory
>>
>>It is the second line that is problematic. The kinit side reports:
>>
>>kinit: Generic error (see e-text) while getting initial credentials
>>
>>The system is not out of memory. No system configuration changes have
>>been made. I am at a loss. Googling around I see strange reports of this
>>error coming and then going and I don't know what to make of it.
>>
>>Any ideas?
>>
>>- James
>>
>>James Croall | Senior Product Manager
>>Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA
>>94107
>>Office: 415.694.5354 | Mobile: 202.246.6613 |
>>jcroall at coverity.com<mailto:jcroall at coverity.com>
>>The Leader in Development Testing
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>

More information about the Kerberos mailing list