KDC TGS_REQ ticket expired log message has no client or server info
Chris Hecker
checker at d6.com
Mon Aug 8 03:42:29 EDT 2011
> I assume you mean krb5_rd_req_decoded would set the ticket output
> value in cases where it decrypts and decodes successfully but
> doesn't validate?
Yeah, and the caller would be responsible for calling
krb5_free_enc_tkt_part if the ticket is non-null instead of it being
called in cleanup: at the bottom of rd_req_decoded_opt. It's only
called in a couple places, and the more public and common krb5_rd_req
could just delete it on failure to stay compatible.
> I think it would be possible to log the server name as well, since
> that's just sitting in the request structure. I know that's less
> interesting to you.
That'd be great, the more detailed logging the better, especially if
it's free!
Chris
On 2011/08/07 22:54, Greg Hudson wrote:
> On Thu, 2011-07-28 at 19:19 -0400, Chris Hecker wrote:
>> Hmm, digging deeper, the krb5_rd_req_decoded(_anyflag) functions are in
>> k5-int.h, and are only called from a couple places throughout all the
>> code. I could easily have them leave client even on failure
>
> I assume you mean krb5_rd_req_decoded would set the ticket output value
> in cases where it decrypts and decodes successfully but doesn't
> validate? I think that would be acceptable, and there even seems to be
> KDC code to handle this case.
>
> I think it would be possible to log the server name as well, since
> that's just sitting in the request structure. I know that's less
> interesting to you.
>
>
>
More information about the Kerberos
mailing list