Debugging PKINIT w/o recompiling?

Benjamin Kaduk kaduk at MIT.EDU
Wed May 20 23:04:31 EDT 2015

On Wed, 20 May 2015, Nordgren, Bryce L -FS wrote:

> Real quick, is there a common cause for the following message in the context of PKINIT?
> kinit: Invalid argument while getting initial credentials
> Adding "-V" adds no information of value. KDC logs show that the correct
> principal was located and preauth is required.

The KRB5_TRACE environment variable is the new scheme for doing runtime
debugging, though it requires tracepoints to have been added to the code
in question.  There do seem to be some tracepoints in pkinit, though, at
least on the current version of the tree.

> Wireshark shows a single AS_REQ/KRB_ERROR. Specifying identities on a
> smard card reveals that the network traffic completes, then a PIN is
> requested, then the "Invalid argument" error is emitted without further
> network traffic. As far as I can tell, this string exists exactly
> nowhere in the source code.

It is the com_err conversion for EINVAL, which appears many places in the
pkinit preauth module.

> I'll start polluting my box with *-devel packages to support recompiling
> with the debug option on, but I'm willing to stop if you already know
> the answer.

Ensure that DEBUG is defined in the preprocessor namespace.  There are
some other macros (DEBUG_ASN1, DEBUG_DER, DEBUG_CKSU, etc.), but I would
not enable them at first.


More information about the Kerberos mailing list