[prev in list] [next in list] [prev in thread] [next in thread] 

List:       krbdev
Subject:    RE: *Excellent* error message missing from newer krb5-libs versions...
From:       <Spike_White () dell ! com>
Date:       2014-04-29 0:31:43
Message-ID: BABF60987D48764FA4071AC73CB9C56162A4B4709F () AUSX7MCPC101 ! AMER ! DELL ! COM
[Download RAW message or body]

Excellent work!

Any extra clues that help us harried sysadmins in diagnosing Kerberos-related \
misconfigurations would be greatly appreciated.  Just today, I've had to diagnose & \
fix 4 different unrelated server and/or principal misconfigurations.

Luckily, none as obscure as this first one.

Spike

-----Original Message-----
From: Greg Hudson [mailto:ghudson@MIT.EDU]
Sent: Monday, April 28, 2014 4:12 PM
To: White, Spike; krbdev@mit.edu
Subject: Re: *Excellent* error message missing from newer krb5-libs versions...

On 04/27/2014 01:49 PM, Spike_White@dell.com wrote:
> krb5_set_error_message(context, KRB5KRB_AP_WRONG_PRINC,
> "Wrong principal in request (found %s, wanted %s)",
> found_name, wanted_name);
[...]
> As you can see, that excellent krb5_set_error_message() call has been stripped out.
> Can that useful & descriptive error message be put back in please?

Two big things have changed in krb5_rd_req since 1.6: server principal aliases[1] in \
1.7 and flexible acceptor names[2] in 1.10. Because of these features, it's not as \
simple as adding back a simple diagnostic like the one in 1.6.

But I agree that the current error result is much less helpful than it should be, \
given how often administrators have to diagnose ticket decryption failures. I have \
put together a candidate patch series which I hope will make it easier to diagnose of \
ticket decryption failures. It is at:

https://github.com/krb5/krb5/pull/108

but it may change significantly before it is pushed to the master branch.

[1] http://k5wiki.kerberos.org/wiki/Projects/Aliases
[2] http://k5wiki.kerberos.org/wiki/Projects/Acceptor_Names
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic