What Should I Push On?

[Henry B. Hotz]

Maybe it's on my receive end and not on my transmit end, but it looks like this email never went out.  Apologies if this is a duplicate.

-----------------

I've been holding off on adding to this thread until I could be more definitive, but here's a progress report:

First, the immediate cause of the memory allocation error was that I was feeding a .der file instead of .pem file to kerberos as an anchor.  Since that's documented, it qualifies as a user error.

Second, getting the "no anchors in file" error to print requires building a version with -DDEBUG, not merely setting KRB5_TRACE.  Doing that build (at least on MacOS 10.6) required 4-5 minor patches.

Third, "retrying with TCP" did not work (with a Heimdal 1.2 server anyway).  Forcing TCP to begin with was sufficient to get MIT kinit to work with a file-based X.509 credential.  This may not be MITs fault since Heimdal kinit degrades severely with UDP when scaling up the load to multiple client machines with multiple clients/machine.  Messages larger than a single UDP packet are probably a contributing factor, but I have not verified this.  Since forcing TCP might be a good idea anyway, it will be a while before I get back to this issue.

So, like I said, that gets things working with a file-based credential.

Fourth, as Doug said, there are multiple coolkey-1.1.0-19.el6.src.rpm's out there.  After some hunting, the one he posted the patch for is:

http://koji.thewebwillow.com/kojifiles/packages/coolkey/1.1.0/19.el6/src/coolkey-1.1.0-19.el6.src.rpm

The MD5 matches.  It contains a "coolkey-piv.patch" file.  And the source file he's patching actually matches up with his diff after you apply all the patches in the SRPM.  However I don't think this is a real "el6" SRPM.  As rank speculation, it might be based off of the coolkey fork on software.forge.mil.  I don't have access to that, and I don't know if I can get it either.

I will definitely be trying out that SRPM (and Doug's patch) as soon as I get a few other fires put out.

On May 14, 2012, at 1:31 PM, Dmitri Pal wrote:

> On 05/05/2012 01:58 PM, Henry B. Hotz wrote:
>> Thanks for the info.  I may have issues to deal with after this one.  *sigh*
>> 
>> Since the specific problem shows with a PKCS12 credential as well, I'm thinking I should get a real RedHat 6.2 instance to test with first.
>> 
> 
> Is there any way to get these cards to Red Hat for us to be able test
> this issue?
> If this is an option please contact me off list.

I already responded to Nathan Kinder off-list with a possible NASA contact.  NASA PIV cards are issued under a NASA CA which is under the US Treasury CA.  I know in the past they have provided test cards to Apple.  I don't think it was easy to make that happen, but seems in theory it ought to be possible for RedHat as well.  Not my department, unfortunately.

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu