krb5 with anonymous kinit, "Cannot allocate memory"
James Croall
jcroall at coverity.com
Fri Oct 11 21:54:43 EDT 2013
Since discovering the symptoms it is reproducible every time - from
systems that are able to kinit normally, it happens when I kinit -n. From
the new systems that are trying to bootstrap, it happens when I kinit -n.
Nothing has (to my knowledge) changed on these hosts. Indeed the KDC and
normal Kerberos clients have been up for 80 days now with no
patches/updates!
I will try and capture the transaction/packets.
- James
James Croall | Senior Product Manager
Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA
94107
Office: 415.694.5354 | Mobile: 202.246.6613 | jcroall at coverity.com
The Leader in Development Testing
On 10/11/13 6:45 PM, "Benjamin Kaduk" <kaduk at MIT.EDU> wrote:
>There are certainly some places in the pkinit code where the return value
>is initialized to ENOMEM which can get returned for failures other than
>memory allocation. It's hard to venture a guess as to which one(s) you
>are running into, though.
>
>Do you have a sense for how reproducible the problem is? (E.g., on a
>single client/machine level, all requests, somewhere in between.) If it
>is reproducible, a captured packet could in principle be replayed against
>a debugging KDC and the execution stepped through to find where the error
>is returned.
>
>One coarse-grained factor is whether you are using the openssl or NSS
>backend for pkinit.
>
>-Ben Kaduk
>
More information about the Kerberos
mailing list