How to debug encode_krb5_error?

Greg Hudson ghudson at MIT.EDU
Wed Jun 12 12:18:34 EDT 2013

On 06/12/2013 06:37 AM, Weijun Wang wrote:
> When a replay is received, the kg_accept_krb5() function calls 
> krb5_mk_error(), which then calls encode_krb5_error() inside 
> lib/krb5/krb/mk_error.c. The last function returns 1859794433 (or 
> 6eda3601). What does it mean?

It's complaining about krb_error_data.server not being set.  It looks
like this bug was partly introduced in 1.3 (only in the case where no
acceptor name was imported) and always happens in 1.10.

I'll have to figure out what principal to put in there, since there is
no longer an obvious answer in all cases.

> It is automatically generated by some 
> ASN.1 parser and I cannot debug into it.

You can debug into ASN.1 routines (the macro-generated function is a
thin wrapper around k5_asn1_full_encode) but it's tough to make sense of
what's going on without detailed knowledge of the ASN.1 encoder.  That's
a drawback of table-driven encoding.

Error code 1859794433 is ASN1_MISSING_FIELD; you can tell that using
krb5_get_error_message() or just searching for the code in krb5.h.  From
there I looked at asn1_k_encode.c and RFC 4120 to see what fields aren't

More information about the krbdev mailing list