[krbdev.mit.edu #7910] krb5-1.12 logging incomplete (PROCESS_TGS - Ticket expired)
Tom Yu via RT
rt-comment at krbdev.mit.edu
Wed May 14 15:21:23 EDT 2014
"Richard Basch via RT" <rt-comment at krbdev.mit.edu> writes:
> When a TGT has expired but is presented to the KDC, the KDC will log
> <unknown client> for server_principal at REALM, Ticket expired.
>
> Though patches have already been adopted to correct the service principal
> logging (which was faulty in 1.11 & 1.12), the client principal is not
> properly decoded/displayed, especially in the "expired ticket" case. This
> can make diagnostics a little more challenging in some cases.
I agree that omitting the client name from that error can make
diagnostics challenging. I think we've known about this issue for quite
some time, but haven't figured out a good way to fix it yet.
I would not expect fixing this to be easy. As I recall, there would
need to be changes to the error paths in rd_req_decoded_opt() to
preserve some of the decrypted and decoded ticket contents, and we would
consequently have to work harder to correctly manage the associated
memory allocations.
More information about the krb5-bugs
mailing list