On Wed, 20 May 2015, Nordgren, Bryce L -FS wrote: > Real quick, is there a common cause for the following message in the context > of PKINIT? > > kinit: Invalid argument while getting initial credentials > > Adding "-V" adds no information of value. KDC logs show that the correct > principal was located and preauth is required.
The KRB5_TRACE environment variable is the new scheme for doing runtime debugging, though it requires tracepoints to have been added to the code in question. There do seem to be some tracepoints in pkinit, though, at least on the current version of the tree. > Wireshark shows a single AS_REQ/KRB_ERROR. Specifying identities on a > smard card reveals that the network traffic completes, then a PIN is > requested, then the "Invalid argument" error is emitted without further > network traffic. As far as I can tell, this string exists exactly > nowhere in the source code. It is the com_err conversion for EINVAL, which appears many places in the pkinit preauth module. > I'll start polluting my box with *-devel packages to support recompiling > with the debug option on, but I'm willing to stop if you already know > the answer. Ensure that DEBUG is defined in the preprocessor namespace. There are some other macros (DEBUG_ASN1, DEBUG_DER, DEBUG_CKSU, etc.), but I would not enable them at first. -Ben ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
