krb5 with anonymous kinit, "Cannot allocate memory"

James Croall jcroall at coverity.com
Fri Oct 11 23:54:20 EDT 2013 

Some sleuthing and adding DEBUG to pkinit.so reveals:

pkinit_find_realm_context: returning context at 0x20108c0 for realm
'TRIAL.COVERITY.COM'
pkinit_return_padata: entered!
KDC picked etype = 18
received DH key delivery AS REQ
building certificate chain
cert = /C=US/ST=CA/L=San Francisco/O=Coverity Free
Trial/CN=sso.trial.coverity.com
callback function: 10 (certificate has expired)
failed to create a certificate chain: certificate has expired  <===
failed to create pkcs7 signed data
pkinit_fini_kdc_req_context: freeing   reqctx at 0x2030c30
pkinit_fini_req_crypto: freeing   ctx at 0x2030950
Oct 12 03:51:02 sso krb5kdc[2507](info): AS_REQ (4 etypes {18 17 16 23})
10.0.0.252: KDC_RETURN_PADATA: WELLKNOWN/ANONYMOUS at TRIAL.COVERITY.COM for
krbtgt/TRIAL.COVERITY.COM at TRIAL.COVERITY.COM, Cannot allocate memory


AHA! I must have accidentally set the certificate to expire in a month
rather than a year. Approximate times line up. Reasonable user error. Very
poor error reporting though!

- James



James Croall | Senior Product Manager
Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA
94107 
Office: 415.694.5354 | Mobile: 202.246.6613 | jcroall at coverity.com
The Leader in Development Testing





On 10/11/13 6:54 PM, "James Croall" <jcroall at coverity.com> wrote:

>Since discovering the symptoms it is reproducible every time - from
>systems that are able to kinit normally, it happens when I kinit -n. From
>the new systems that are trying to bootstrap, it happens when I kinit -n.
>
>Nothing has (to my knowledge) changed on these hosts. Indeed the KDC and
>normal Kerberos clients have been up for 80 days now with no
>patches/updates!
>
>I will try and capture the transaction/packets.
>
>- James
>
>
>
>James Croall | Senior Product Manager
>Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA
>94107 
>Office: 415.694.5354 | Mobile: 202.246.6613 | jcroall at coverity.com
>The Leader in Development Testing
>
>
>
>
>
>On 10/11/13 6:45 PM, "Benjamin Kaduk" <kaduk at MIT.EDU> wrote:
>
>>There are certainly some places in the pkinit code where the return value
>>is initialized to ENOMEM which can get returned for failures other than
>>memory allocation.  It's hard to venture a guess as to which one(s) you
>>are running into, though.
>>
>>Do you have a sense for how reproducible the problem is?  (E.g., on a
>>single client/machine level, all requests, somewhere in between.)  If it
>>is reproducible, a captured packet could in principle be replayed against
>>a debugging KDC and the execution stepped through to find where the error
>>is returned.
>>
>>One coarse-grained factor is whether you are using the openssl or NSS
>>backend for pkinit.
>>
>>-Ben Kaduk
>>
>
>
>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list