[krbdev.mit.edu #7232] Confusing error message for key version mismatch
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Wed Aug 8 13:09:38 EDT 2012
Looking back through the archives, this is actually a conscious change:
http://mailman.mit.edu/pipermail/krbdev/2008-December/007154.html
Sam's reasoning was that wrong-key-version errors aren't very common,
which I think is not necessarily true.
I think with a little bit of additional code, we can return a clearer
error code in the non-alias case.
Sam also notes that gssrpc__svcauth_gssapi() uses KRB5KRB_AP_WRONG_PRINC
to iterate over service principal names. I think it's fine not to
iterate in the cases where we'd produce a kvno mismatch error code.
More information about the krb5-bugs
mailing list