[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pkinit as_rep

I've set up an install of the snapshot from the 14th with pkinit 
enabled. when I try and kinit with an x509 cert, I see the following in 
the kdc log:

2005-04-22T16:37:19 AS-REQ ma3d@TEST.PDSF.NERSC.GOV from 
2005-04-22T16:37:19 Looking for PKINIT pa-data -- ma3d@TEST.PDSF.NERSC.GOV
2005-04-22T16:37:19 Looking for ENC-TS pa-data -- ma3d@TEST.PDSF.NERSC.GOV
2005-04-22T16:37:19 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2005-04-22T16:37:19 sending 669 bytes to IPv4:

and the following output from kinit:

$ kinit -C FILE:/auto/u/ma3d/foo.crt,/auto/u/ma3d/foo.key 
kinit: krb5_get_init_creds: unable to reach any KDC in realm 

if seems that it's not actually finding the pkinit pre-auth data. 
running gdb on the kdc I see the following in as_rep():

(gdb) c

Breakpoint 2, as_rep (req=0xbfffccb0, reply=0xbfffcd38, from=0x82521c0 
"IPv4:", from_addr=0x8252138)
     at kerberos5.c:737
737             int i = 0;
(gdb) l
733         memset(&et, 0, sizeof(et));
734         memset(&ek, 0, sizeof(ek));
736         if(req->padata){
737             int i = 0;
738             PA_DATA *pa;
739             int found_pa = 0;
741     #ifdef PKINIT
(gdb) n
739             int found_pa = 0;
(gdb) n
742             kdc_log(5, "Looking for PKINIT pa-data -- %s", client_name);
(gdb) n
744             i = 0;
(gdb) n
745             e_text = "No PKINIT PA found";
(gdb) n
755                     continue;
(gdb) c

I'm expecially confused about the jump from line 745 to line 755. I 
rebuilt by re-running configure with CFLAGS set to just -g thinking I 
might just be looking at optimization weirdness, but that didn't seem to 
make a difference.

any ideas?

any more info that's needed?

-Matt Andrews