Since discovering the symptoms it is reproducible every time - from systems that are able to kinit normally, it happens when I kinit -n. From the new systems that are trying to bootstrap, it happens when I kinit -n.
Nothing has (to my knowledge) changed on these hosts. Indeed the KDC and normal Kerberos clients have been up for 80 days now with no patches/updates! I will try and capture the transaction/packets. - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613 | jcro...@coverity.com The Leader in Development Testing On 10/11/13 6:45 PM, "Benjamin Kaduk" <ka...@mit.edu> wrote: >There are certainly some places in the pkinit code where the return value >is initialized to ENOMEM which can get returned for failures other than >memory allocation. It's hard to venture a guess as to which one(s) you >are running into, though. > >Do you have a sense for how reproducible the problem is? (E.g., on a >single client/machine level, all requests, somewhere in between.) If it >is reproducible, a captured packet could in principle be replayed against >a debugging KDC and the execution stepped through to find where the error >is returned. > >One coarse-grained factor is whether you are using the openssl or NSS >backend for pkinit. > >-Ben Kaduk > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos