[37203] in Kerberos
Re: Heimdahl Kerberos on MacOSX 10.9.5 using pkinit produces verify
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sun Aug 23 21:23:30 2015
From: Russ Allbery <eagle@eyrie.org>
To: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <55D9E25D.80604@mit.edu> (Greg Hudson's message of "Sun, 23 Aug
2015 11:10:21 -0400")
Date: Sun, 23 Aug 2015 18:23:01 -0700
Message-ID: <87fv3932fe.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Greg Hudson <ghudson@mit.edu> writes:
> On 08/23/2015 09:51 AM, Glenn Machin wrote:
>> Aug 22 19:23:35 as36snllx krb5kdc[25098]: AS_REQ (7 etypes {18 17 16 23
>> 3 2 1}) 134.253.253.38: PREAUTH_FAILED: gmachin@dce.sandia.gov for
>> krbtgt/dce.sandia.gov@dce.sandia.gov, error:0D08303A:asn1 encoding
>> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
>> Is this a known problem?
> We've seen one other report of this error with the same combination of
> OS X client and krb5 1.10 KDC. I might be able to track it down given a
> raw packet dump of the request, if you can send one to me personally.
> (There shouldn't be any really secret information in the packet dump,
> but the list server will strip attachments.)
> The other report was here:
> http://mailman.mit.edu/pipermail/kerberos/2015-June/020819.html
I'm pretty sure I saw something similar with Heimdal on Linux, but don't
have my test environment for PKINIT set up right now (or, rather, it's
generating a completely different set of weird errors at the moment).
I've had very poor luck with interoperability of PKINIT between Heimdal
and MIT, but haven't had a concrete need or project where I've had a
reason to dive in and gather data about exactly what's failing and why. :/
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
