KDC TGS_REQ ticket expired log message has no client or server info

Greg Hudson ghudson at MIT.EDU
Mon Aug 8 01:54:55 EDT 2011


On Thu, 2011-07-28 at 19:19 -0400, Chris Hecker wrote:
> Hmm, digging deeper, the krb5_rd_req_decoded(_anyflag) functions are in 
> k5-int.h, and are only called from a couple places throughout all the 
> code.  I could easily have them leave client even on failure

I assume you mean krb5_rd_req_decoded would set the ticket output value
in cases where it decrypts and decodes successfully but doesn't
validate?  I think that would be acceptable, and there even seems to be
KDC code to handle this case.

I think it would be possible to log the server name as well, since
that's just sitting in the request structure.  I know that's less
interesting to you.





More information about the Kerberos mailing list