Heimdahl Kerberos on MacOSX 10.9.5 using pkinit produces verify error

Russ Allbery eagle at eyrie.org
Sun Aug 23 21:23:01 EDT 2015


Greg Hudson <ghudson at mit.edu> writes:
> On 08/23/2015 09:51 AM, Glenn Machin wrote:

>> Aug 22 19:23:35 as36snllx krb5kdc[25098]: AS_REQ (7 etypes {18 17 16 23
>> 3 2 1}) 134.253.253.38: PREAUTH_FAILED: gmachin at dce.sandia.gov for
>> krbtgt/dce.sandia.gov at dce.sandia.gov, error:0D08303A:asn1 encoding
>> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error

>> Is this a known problem?

> We've seen one other report of this error with the same combination of
> OS X client and krb5 1.10 KDC.  I might be able to track it down given a
> raw packet dump of the request, if you can send one to me personally.
> (There shouldn't be any really secret information in the packet dump,
> but the list server will strip attachments.)

> The other report was here:

> http://mailman.mit.edu/pipermail/kerberos/2015-June/020819.html

I'm pretty sure I saw something similar with Heimdal on Linux, but don't
have my test environment for PKINIT set up right now (or, rather, it's
generating a completely different set of weird errors at the moment).

I've had very poor luck with interoperability of PKINIT between Heimdal
and MIT, but haven't had a concrete need or project where I've had a
reason to dive in and gather data about exactly what's failing and why.  :/

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list