What Should I Push On?

Douglas E. Engert deengert at anl.gov
Tue May 15 10:14:03 EDT 2012 


On 5/14/2012 8:21 PM, Henry B. Hotz wrote:
> I've been holding off on adding to this thread until I could be more definitive, but here's a progress report:
>
> First, the immediate cause of the memory allocation error was that I was feeding a .der file instead of .pem file to kerberos as an anchor.  Since that's documented, it qualifies as a user error.
>
> Second, getting the "no anchors in file" error to print requires building a version with -DDEBUG, not merely setting KRB5_TRACE.  Doing that build (at least on MacOS 10.6) required 4-5 minor patches.
>
> Third, "retrying with TCP" did not work (with a Heimdal 1.2 server anyway).  Forcing TCP to begin with was sufficient to get MIT kinit to work with a file-based X.509 credential.  This may not be MITs fault since Heimdal kinit degrades severely with UDP when scaling up the load to multiple client machines with multiple clients/machine.  Messages larger than a single UDP packet are probably a contributing factor, but I have not verified this.  Since forcing TCP might be a good idea anyway, it will be a while before I get back to this issue.
>
> So, like I said, that gets things working with a file-based credential.
>
> Fourth, as Doug said, there are multiple coolkey-1.1.0-19.el6.src.rpm's out there.  After some hunting, the one he posted the patch for is:
>
> http://koji.thewebwillow.com/kojifiles/packages/coolkey/1.1.0/19.el6/src/coolkey-1.1.0-19.el6.src.rpm
>
> The MD5 matches.  It contains a "coolkey-piv.patch" file.  And the source file he's patching actually matches up with his diff after you apply all the patches in the SRPM.  However I don't think this is a real "el6" SRPM.  As rank speculation, it might be based off of the coolkey fork on software.forge.mil.  I don't have access to that, and I don't know if I can get it either.
>
> I will definitely be trying out that SRPM (and Doug's patch) as soon as I get a few other fires put out.

Upon downloading the http://mirror.anl.gov/pub/scientific-linux/6/SRPMS/vendor/coolkey-1.1.0-19.el6.src.rpm
with MD5:543e8a93f674ee402558c9494abae865

Ran on Ubuntu: alien -g coolkey-1.1.0-19.el6.src.rpm
to get the source, and patches. The base coolkey-1.1.0.tar.gz and all the patches
are the same. So the differences must be in the creation of the rpm, so my patch
should not need changing.


>
> On May 14, 2012, at 1:31 PM, Dmitri Pal wrote:
>
>> On 05/05/2012 01:58 PM, Henry B. Hotz wrote:
>>> Thanks for the info.  I may have issues to deal with after this one.  *sigh*
>>>
>>> Since the specific problem shows with a PKCS12 credential as well, I'm thinking I should get a real RedHat 6.2 instance to test with first.
>>>
>>
>> Is there any way to get these cards to Red Hat for us to be able test
>> this issue?
>> If this is an option please contact me off list.
>
> I already responded to Nathan Kinder off-list with a possible NASA contact.  NASA PIV cards are issued under a NASA CA which is under the US Treasury CA.  I know in the past they have provided test cards to Apple.  I don't think it was easy to make that happen, but seems in theory it ought to be possible for RedHat as well.  Not my department, unfortunately.
>
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
>
>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list