KfW 3.1: Re-directed stderr of kinit/klist displays dialog

Christopher D. Clausen cclausen at acm.org
Tue Feb 20 19:23:29 EST 2007 

petesea at bigfoot.com wrote:
> On Tue, 20 Feb 2007, Jeffrey Altman wrote:
>> petesea at bigfoot.com wrote:
>>
>>> Is there a way to redirect stderr from kinit/klist to a file?
>>
>> stdin and stderr cannot be redirected.  they are used for password
>> prompting
>
> Hmmm.... but I'm not trying to redirect the password prompt... in
> fact, kinit won't let me redirect the password prompt, it still
> displays it in the shell (NOT as a Windows dialog):
>
>   C:\> kinit 2>err.our
>   Password for bozo at CLOWN.COM:
>
> That's fine.... and I'm not suggesting it should work any
> different... for the password prompt that is...
>
> But if I'm using "kinit -kt" or "klist" or "kdestroy"... (none of
> which should prompt for a password or require any keyboard input),
> then I think you should be able to redirect stderr.
>
> Unfortunately, if I try to run any of those commands and I get an
> error AND stderr is re-directed then I get a Windows dialog instead.
>
>   C:\> kinit -kt foobar 2>err.out
>   (Windows dialog with error, nothing in err.out)
>
> The problem is, if you're running an automated background job using a
> keytab and something's wrong (eg the keytab is missing), it makes it
> VERY difficult to find the problem.  You can't redirect stderr
> because that triggers a Windows dialog which could cause the
> background job to hang waiting for user input it's never going to
> get.  Or if it doesn't hang, there's no way to log the error to see
> why it failed.

Well, can't you check the exit error codes set by the program?

C:\>kinit -kt test
kinit(v5): Cannot resolve network address for KDC in requested realm 
while getting initial credentials
C:\>echo %ERRORLEVEL%
1
C:\>klist
klist: No credentials cache found (ticket cache 
API:notguest at AD.UIUC.EDU)
C:\>echo %ERRORLEVEL%
1
C:\>kinit cclausen
Password for cclausen at AD.UIUC.EDU:
C:\>echo %ERRORLEVEL%
0
C:\>klist
Ticket cache: API:notguest at AD.UIUC.EDU
Default principal: cclausen at AD.UIUC.EDU
Valid starting     Expires            Service principal
02/20/07 18:14:49  02/21/07 04:14:49  krbtgt/AD.UIUC.EDU at AD.UIUC.EDU
C:\>echo %ERRORLEVEL%
0

Also, I can redirect the klist output just fine.  What are you doing?

C:\>klist 2>&1 1>%TEMP%\test.txt
C:\>cat %TEMP%\test.txt
Ticket cache: API:notguest at AD.UIUC.EDU
Default principal: cclausen at AD.UIUC.EDU
Valid starting     Expires            Service principal
02/20/07 18:14:49  02/21/07 04:14:49  krbtgt/AD.UIUC.EDU at AD.UIUC.EDU
C:\>

But yes, I'd agree that dialogs from kinit stderr redirection attempts 
are quite odd and unexpected.

<<CDC

More information about the Kerberos mailing list