Proper way to do logging (KDC) from preauth plugin?

Jeff Blaine jblaine at kickflop.net
Wed Apr 21 22:32:28 EDT 2010 

It's been ages since I've been inside gdb, so please
pardon my lack of skill.

kdc_verify_preauth() is never called according to this
(not for my plugin or any other):

(gdb) rbreak .*preauth.*
Breakpoint 1 at 0x80500bc: file fast_util.c, line 479.
krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *,
     krb5_pa_data **);
Breakpoint 2 at 0x8057789: file kdc_preauth.c, line 1003.
void get_preauth_hint_list(krb5_kdc_req *, krb5_db_entry *, krb5_db_entry *,
     krb5_data *);
Breakpoint 3 at 0x80579e9: file kdc_preauth.c, line 414.
krb5_error_code load_preauth_plugins(krb5_context);
Breakpoint 4 at 0x8054ba3: file kdc_preauth.c, line 981.
const char *missing_required_preauth(krb5_db_entry *, krb5_db_entry *,
     krb5_enc_tkt_part *);
Breakpoint 5 at 0x8057949: file kdc_preauth.c, line 574.
krb5_error_code unload_preauth_plugins(krb5_context);
(gdb) run
Starting program: /usr/mykrb/sbin/krb5kdc -n -r MYREALM.OUR.ORG

Breakpoint 3, load_preauth_plugins (context=0x84430e0) at kdc_preauth.c:414
414     {
(gdb) continue
Continuing.
[Thread debugging using libthread_db enabled]
krb5kdc: starting...
[New Thread 0xb7fbd8d0 (LWP 26114)]

Breakpoint 4, missing_required_preauth (client=0xbfac5ae4, 
server=0xbfac5aa0,
     enc_tkt_reply=0xbfac5b28) at kdc_preauth.c:981
981         if (isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
(gdb) continue
Continuing.

Breakpoint 2, get_preauth_hint_list (request=0x8447dc8, client=0xbfac5ae4,
     server=0xbfac5aa0, e_data=0xbfac5c80) at kdc_preauth.c:1003
1003        e_data->length = 0;
(gdb) continue
Continuing.

Breakpoint 1, kdc_preauth_get_cookie (state=0x8447f48, cookie=0x8449db8)
     at fast_util.c:479
479         contents = strdup("MIT");
(gdb) continue
Continuing.

Breakpoint 4, missing_required_preauth (client=0xbfac5ae4, 
server=0xbfac5aa0,
     enc_tkt_reply=0xbfac5b28) at kdc_preauth.c:981
981         if (isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
(gdb) continue
Continuing.

[ kinit on client has returned already, with granted creds ]
[ this just sits here now ]

On 4/21/2010 7:11 PM, Greg Hudson wrote:
> On Wed, 2010-04-21 at 17:59 -0400, Jeff Blaine wrote:
>> # gdb /usr/mykrb/sbin/krb5kdc
>> (gdb) set follow-fork-mode child
>
> Try running krb5kdc with the -n flag instead of following the fork.
>
>
>

More information about the krbdev mailing list