[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit as_rep

To: "Matthew N. Andrews" <matt@slackers.net>
Subject: Re: pkinit as_rep
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Sat, 23 Apr 2005 06:45:14 -0500
Cc: heimdal-discuss@sics.se
In-Reply-To: <42698D2A.4090700@slackers.net>
References: <42698D2A.4090700@slackers.net>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803



Matthew N. Andrews wrote:
> 
> I've set up an install of the snapshot from the 14th with pkinit 
> enabled. when I try and kinit with an x509 cert, I see the following in 
> the kdc log:
> 
> 2005-04-22T16:37:19 AS-REQ ma3d@TEST.PDSF.NERSC.GOV from 
> IPv4:128.55.27.106 for krbtgt/TEST.PDSF.NERSC.GOV@TEST.PDSF.NERSC.GOV
> 2005-04-22T16:37:19 Looking for PKINIT pa-data -- ma3d@TEST.PDSF.NERSC.GOV
> 2005-04-22T16:37:19 Looking for ENC-TS pa-data -- ma3d@TEST.PDSF.NERSC.GOV
> 2005-04-22T16:37:19 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> 2005-04-22T16:37:19 sending 669 bytes to IPv4:128.55.27.106
> 
> 
> and the following output from kinit:
> 
> $ kinit -C FILE:/auto/u/ma3d/foo.crt,/auto/u/ma3d/foo.key 
> ma3d@TEST.PDSF.NERSC.GOV
> kinit: krb5_get_init_creds: unable to reach any KDC in realm 
> TEST.PDSF.NERSC.GOV
> 

Do you have a network trace, like ethereal, to see the as_req and response?
A response of 669 bytes sounds like a AS_REP rather then a KRB_ERROR packet.

> if seems that it's not actually finding the pkinit pre-auth data. 
> running gdb on the kdc I see the following in as_rep():
> 
> (gdb) c
> Continuing.
> 
> Breakpoint 2, as_rep (req=0xbfffccb0, reply=0xbfffcd38, from=0x82521c0 
> "IPv4:128.55.27.106", from_addr=0x8252138)
>     at kerberos5.c:737
> 737             int i = 0;
> (gdb) l
> 732
> 733         memset(&et, 0, sizeof(et));
> 734         memset(&ek, 0, sizeof(ek));
> 735
> 736         if(req->padata){
> 737             int i = 0;
> 738             PA_DATA *pa;
> 739             int found_pa = 0;
> 740
> 741     #ifdef PKINIT
> (gdb) n
> 739             int found_pa = 0;
> (gdb) n
> 742             kdc_log(5, "Looking for PKINIT pa-data -- %s", 
> client_name);
> (gdb) n
> 744             i = 0;
> (gdb) n
> 745             e_text = "No PKINIT PA found";
> (gdb) n
> 755                     continue;
> (gdb) c
> 

Can you set a breakpoint at find_padata, and pk_rd_padata?
How about a fre printf statments?

> 
> I'm expecially confused about the jump from line 745 to line 755. I 
> rebuilt by re-running configure with CFLAGS set to just -g thinking I 
> might just be looking at optimization weirdness, but that didn't seem to 
> make a difference.
> 
> any ideas?
> 
> any more info that's needed?

I have not tried the KDC, but have 20050405 client working to a Windows AD.

> 
> -Matt Andrews
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Follow-Ups:
- Re: pkinit as_rep
  - From: "Matthew N. Andrews" <matt@slackers.net>

References:
- pkinit as_rep
  - From: "Matthew N. Andrews" <matt@slackers.net>

Prev by Date: pkinit as_rep
Next by Date: OpenLDAP schema for Heimdal
Prev by thread: pkinit as_rep
Next by thread: Re: pkinit as_rep
Index(es):
- Date
- Thread