[krbdev.mit.edu #7802] krb5-1.11 & krb5-1.12: incomplete logging

[Richard Basch via RT]

Ok, I just re-ran the test under 1.11.
For the AS_REQ case, 1.11 doesn't seem to have the issue, but 1.12 does.
For the TGS_REQ case, both 1.11 and 1.12 are affected. 

-----Original Message-----
From: Tom Yu via RT [mailto:rt-comment at krbdev.mit.edu] 
Sent: Tuesday, December 24, 2013 3:00 PM
To: Basch, Richard [Tech]
Subject: Re: [krbdev.mit.edu #7802] krb5-1.11 & krb5-1.12: incomplete logging

"Richard Basch via RT" <rt-comment at krbdev.mit.edu> writes:

> If a user attempts to authenticate with an unknown client or to an unknown service, the service name is not depicted in the Kerberos logs.
>
> This makes anomaly detection harder to perform as well as impede diagnostics.
>
> How to reproduce:
>
> 1.       For AS_REQ, simply use kinit with an unknown client name (krbtgt/REALM at REALM will not be logged as the service name).

Can you clarify whether you see this with both krb5-1.11 and krb5-1.12?  By my reading of the code, your patch to do_as_req.c undoes the move of a code block that happened between krb5-1.11 and krb5-1.12.

> 2.       For TGS_REQ, simply use kvno to query an unknown service name.

As I recall from the code in do_tgs_req.c, the behavior for krb5-1.11 and krb5-1.12 for unknown service principal names should be the same, so the patch probably applies to both.