[krbdev.mit.edu #7910] krb5-1.12 logging incomplete (PROCESS_TGS - Ticket expired)
Richard Basch via RT
rt-comment at krbdev.mit.edu
Tue Jun 3 19:19:08 EDT 2014
Resending (reformatted to avoid line break in middle of URL).
Proposed fix:
https://github.com/rbasch/krb5/commit/fe8223afe3acf8749a1aed62044359bbf5bc6a
75
-----Original Message-----
From: Tom Yu via RT [mailto:rt-comment at krbdev.mit.edu]
Sent: Wednesday, May 14, 2014 3:21 PM
To: basch at alum.mit.edu
Subject: Re: [krbdev.mit.edu #7910] krb5-1.12 logging incomplete
(PROCESS_TGS - Ticket expired)
"Richard Basch via RT" <rt-comment at krbdev.mit.edu> writes:
> When a TGT has expired but is presented to the KDC, the KDC will log
> <unknown client> for server_principal at REALM, Ticket expired.
>
> Though patches have already been adopted to correct the service
> principal logging (which was faulty in 1.11 & 1.12), the client
> principal is not properly decoded/displayed, especially in the
> "expired ticket" case. This can make diagnostics a little more
> challenging
in some cases.
I agree that omitting the client name from that error can make diagnostics
challenging. I think we've known about this issue for quite some time, but
haven't figured out a good way to fix it yet.
I would not expect fixing this to be easy. As I recall, there would need to
be changes to the error paths in rd_req_decoded_opt() to preserve some of
the decrypted and decoded ticket contents, and we would consequently have to
work harder to correctly manage the associated memory allocations.
More information about the krb5-bugs
mailing list