Re: krb5 with anonymous kinit, Cannot allocate memory
Hi Greg, Yup - Running 1.10+dfsg~beta1 - the default on my Ubuntu systems. In retrospect I should have not just followed the pkinit setup instructions blindly, running openssl commands without giving them some thought. Without specifying days it will default to 30 days, and combined with the lack of good error reporting... Whew, panic time! Appear to be all good now. Cheers, - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613 | jcro...@coverity.com The Leader in Development Testing On 10/11/13 9:43 PM, Greg Hudson ghud...@mit.edu wrote: On 10/11/2013 11:54 PM, James Croall wrote: AHA! I must have accidentally set the certificate to expire in a month rather than a year. Approximate times line up. Reasonable user error. Very poor error reporting though! I believe I improved the error reporting for this case in 1.11: https://github.com/krb5/krb5/commit/6d19259c7eb9277c12a7f2eec9aa80563b4c5a cc Can you confirm that you are running 1.10 or earlier? Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
krb5 with anonymous kinit, Cannot allocate memory
Hi All, Thanks again for the help getting anonymous kinit running! We have been running in production for over a month and things are going… well. Until today. This week a new error occurred on the KDC side: Oct 11 21:25:57 sso krb5kdc[10394](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.1.13: NEEDED_PREAUTH: WELLKNOWN/anonym...@trial.coverity.com for krbtgt/trial.coverity@trial.coverity.com, Additional pre-authentication required Oct 11 21:25:58 sso krb5kdc[10394](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.1.13: KDC_RETURN_PADATA: WELLKNOWN/anonym...@trial.coverity.com for krbtgt/trial.coverity@trial.coverity.com, Cannot allocate memory It is the second line that is problematic. The kinit side reports: kinit: Generic error (see e-text) while getting initial credentials The system is not out of memory. No system configuration changes have been made. I am at a loss. Googling around I see strange reports of this error coming and then going and I don't know what to make of it. Any ideas? - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613 | jcro...@coverity.commailto:jcro...@coverity.com The Leader in Development Testing Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: krb5 with anonymous kinit, Cannot allocate memory
I should add, this error occurs when running kinit -n. I can still kinit as a user on an already setup host and get a TGT. - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613 | jcro...@coverity.com The Leader in Development Testing On 10/11/13 2:49 PM, James Croall jcro...@coverity.com wrote: Hi All, Thanks again for the help getting anonymous kinit running! We have been running in production for over a month and things are goingŠ well. Until today. This week a new error occurred on the KDC side: Oct 11 21:25:57 sso krb5kdc[10394](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.1.13: NEEDED_PREAUTH: WELLKNOWN/anonym...@trial.coverity.com for krbtgt/trial.coverity@trial.coverity.com, Additional pre-authentication required Oct 11 21:25:58 sso krb5kdc[10394](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.1.13: KDC_RETURN_PADATA: WELLKNOWN/anonym...@trial.coverity.com for krbtgt/trial.coverity@trial.coverity.com, Cannot allocate memory It is the second line that is problematic. The kinit side reports: kinit: Generic error (see e-text) while getting initial credentials The system is not out of memory. No system configuration changes have been made. I am at a loss. Googling around I see strange reports of this error coming and then going and I don't know what to make of it. Any ideas? - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613 | jcro...@coverity.commailto:jcro...@coverity.com The Leader in Development Testing Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: krb5 with anonymous kinit, Cannot allocate memory
Poking around with strace, and running krb5kdc with debug enabled, I see no smoking gun that there is a lack memory problem. Searching the kerberos mailing list and other forums I see similar reports, but no explanation of cause or possible solutions. A bit lost here. It was working great for a month. Here's what happens when I run kinit -n: Oct 12 01:35:39 sso krb5kdc[1786](debug): checking padata Oct 12 01:35:39 sso krb5kdc[1786](debug): .. pa_type 0x95 Oct 12 01:35:39 sso krb5kdc[1786](debug): client needs preauth, no hw preauth; request has no preauth, no hw preauth Oct 12 01:35:39 sso krb5kdc[1786](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.0.252: NEEDED_PREAUTH: WELLKNOWN/anonym...@trial.coverity.com for krbtgt/trial.coverity@trial.coverity.com, Additional pre-authentication required Oct 12 01:35:39 sso krb5kdc[1786](debug): checking padata Oct 12 01:35:39 sso krb5kdc[1786](debug): .. pa_type 0x85 Oct 12 01:35:39 sso krb5kdc[1786](debug): .. pa_type 0x10 Oct 12 01:35:39 sso krb5kdc[1786](debug): .. pa_type pkinit Oct 12 01:35:39 sso krb5kdc[1786](debug): .. .. ok Oct 12 01:35:39 sso krb5kdc[1786](debug): client needs preauth, no hw preauth; request has preauth, no hw preauth Oct 12 01:35:39 sso krb5kdc[1786](debug): original preauth mechanism list: Oct 12 01:35:39 sso krb5kdc[1786](debug): ... etype-info(11) Oct 12 01:35:39 sso krb5kdc[1786](debug): ... etype-info2(19) Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pw-salt(3) Oct 12 01:35:39 sso krb5kdc[1786](debug): ... encrypted_challenge(138) Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pkinit(16) Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pkinit(14) Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pkinit(15) Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pkinit(147) Oct 12 01:35:39 sso krb5kdc[1786](debug): sorted preauth mechanism list: Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pkinit(16) Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pkinit(14) Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pkinit(15) Oct 12 01:35:39 sso krb5kdc[1786](debug): ... encrypted_challenge(138) Oct 12 01:35:39 sso krb5kdc[1786](debug): ... etype-info(11) Oct 12 01:35:39 sso krb5kdc[1786](debug): ... etype-info2(19) Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pw-salt(3) Oct 12 01:35:39 sso krb5kdc[1786](debug): ... pkinit(147) Oct 12 01:35:39 sso krb5kdc[1786](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.0.252: KDC_RETURN_PADATA: WELLKNOWN/anonym...@trial.coverity.com for krbtgt/trial.coverity@trial.coverity.com, Cannot allocate memory Any suggestions appreciated. Thanks, - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613 | jcro...@coverity.com The Leader in Development Testing On 10/11/13 2:57 PM, James Croall jcro...@coverity.com wrote: I should add, this error occurs when running kinit -n. I can still kinit as a user on an already setup host and get a TGT. - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613 | jcro...@coverity.com The Leader in Development Testing On 10/11/13 2:49 PM, James Croall jcro...@coverity.com wrote: Hi All, Thanks again for the help getting anonymous kinit running! We have been running in production for over a month and things are goingŠ well. Until today. This week a new error occurred on the KDC side: Oct 11 21:25:57 sso krb5kdc[10394](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.1.13: NEEDED_PREAUTH: WELLKNOWN/anonym...@trial.coverity.com for krbtgt/trial.coverity@trial.coverity.com, Additional pre-authentication required Oct 11 21:25:58 sso krb5kdc[10394](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.1.13: KDC_RETURN_PADATA: WELLKNOWN/anonym...@trial.coverity.com for krbtgt/trial.coverity@trial.coverity.com, Cannot allocate memory It is the second line that is problematic. The kinit side reports: kinit: Generic error (see e-text) while getting initial credentials The system is not out of memory. No system configuration changes have been made. I am at a loss. Googling around I see strange reports of this error coming and then going and I don't know what to make of it. Any ideas? - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613 | jcro...@coverity.commailto:jcro...@coverity.com The Leader in Development Testing Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: krb5 with anonymous kinit, Cannot allocate memory
There are certainly some places in the pkinit code where the return value is initialized to ENOMEM which can get returned for failures other than memory allocation. It's hard to venture a guess as to which one(s) you are running into, though. Do you have a sense for how reproducible the problem is? (E.g., on a single client/machine level, all requests, somewhere in between.) If it is reproducible, a captured packet could in principle be replayed against a debugging KDC and the execution stepped through to find where the error is returned. One coarse-grained factor is whether you are using the openssl or NSS backend for pkinit. -Ben Kaduk Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: krb5 with anonymous kinit, Cannot allocate memory
Since discovering the symptoms it is reproducible every time - from systems that are able to kinit normally, it happens when I kinit -n. From the new systems that are trying to bootstrap, it happens when I kinit -n. Nothing has (to my knowledge) changed on these hosts. Indeed the KDC and normal Kerberos clients have been up for 80 days now with no patches/updates! I will try and capture the transaction/packets. - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613 | jcro...@coverity.com The Leader in Development Testing On 10/11/13 6:45 PM, Benjamin Kaduk ka...@mit.edu wrote: There are certainly some places in the pkinit code where the return value is initialized to ENOMEM which can get returned for failures other than memory allocation. It's hard to venture a guess as to which one(s) you are running into, though. Do you have a sense for how reproducible the problem is? (E.g., on a single client/machine level, all requests, somewhere in between.) If it is reproducible, a captured packet could in principle be replayed against a debugging KDC and the execution stepped through to find where the error is returned. One coarse-grained factor is whether you are using the openssl or NSS backend for pkinit. -Ben Kaduk Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: krb5 with anonymous kinit, Cannot allocate memory
Some sleuthing and adding DEBUG to pkinit.so reveals: pkinit_find_realm_context: returning context at 0x20108c0 for realm 'TRIAL.COVERITY.COM' pkinit_return_padata: entered! KDC picked etype = 18 received DH key delivery AS REQ building certificate chain cert = /C=US/ST=CA/L=San Francisco/O=Coverity Free Trial/CN=sso.trial.coverity.com callback function: 10 (certificate has expired) failed to create a certificate chain: certificate has expired === failed to create pkcs7 signed data pkinit_fini_kdc_req_context: freeing reqctx at 0x2030c30 pkinit_fini_req_crypto: freeing ctx at 0x2030950 Oct 12 03:51:02 sso krb5kdc[2507](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.0.252: KDC_RETURN_PADATA: WELLKNOWN/anonym...@trial.coverity.com for krbtgt/trial.coverity@trial.coverity.com, Cannot allocate memory AHA! I must have accidentally set the certificate to expire in a month rather than a year. Approximate times line up. Reasonable user error. Very poor error reporting though! - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613 | jcro...@coverity.com The Leader in Development Testing On 10/11/13 6:54 PM, James Croall jcro...@coverity.com wrote: Since discovering the symptoms it is reproducible every time - from systems that are able to kinit normally, it happens when I kinit -n. From the new systems that are trying to bootstrap, it happens when I kinit -n. Nothing has (to my knowledge) changed on these hosts. Indeed the KDC and normal Kerberos clients have been up for 80 days now with no patches/updates! I will try and capture the transaction/packets. - James James Croall | Senior Product Manager Coverity | 185 Berry Street | Suite 6500, Lobby 3 | San Francisco, CA 94107 Office: 415.694.5354 | Mobile: 202.246.6613 | jcro...@coverity.com The Leader in Development Testing On 10/11/13 6:45 PM, Benjamin Kaduk ka...@mit.edu wrote: There are certainly some places in the pkinit code where the return value is initialized to ENOMEM which can get returned for failures other than memory allocation. It's hard to venture a guess as to which one(s) you are running into, though. Do you have a sense for how reproducible the problem is? (E.g., on a single client/machine level, all requests, somewhere in between.) If it is reproducible, a captured packet could in principle be replayed against a debugging KDC and the execution stepped through to find where the error is returned. One coarse-grained factor is whether you are using the openssl or NSS backend for pkinit. -Ben Kaduk Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: krb5 with anonymous kinit, Cannot allocate memory
On 10/11/2013 11:54 PM, James Croall wrote: AHA! I must have accidentally set the certificate to expire in a month rather than a year. Approximate times line up. Reasonable user error. Very poor error reporting though! I believe I improved the error reporting for this case in 1.11: https://github.com/krb5/krb5/commit/6d19259c7eb9277c12a7f2eec9aa80563b4c5acc Can you confirm that you are running 1.10 or earlier? Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos