Debugging API for krb5

Jeffrey Altman jaltman at
Thu Feb 5 03:32:28 EST 2004

I would like to start a discussion on the subject of a debugging api for 
use with the krb5 library.
The goal is to provide an api which can be used by Kerberos aware 
applications to activate logging information
which can in turn be used for debugging and diagnoses of application 

The Windows krb4 library has for a long time possessed a very simple 
(perhaps primitive) mechanism which
allowed applications to turn on debugging.  Debug messages would be sent 
to (either the "Debug Window"
of the Leash Ticket Manager OR to the Windows Debugger Output display) 
AND written to a log file
placed in the directory specified by the TEMP or TMP environment 
variables.  This capability has allowed
the MIT help desk to support users when there have been problems 
obtaining Ticket Getting Tickets or
application service tickets (in some instances).

The lack of similar support in the Krb5 libraries has hampered the 
ability of the Help Desk to diagnose
problems now that KfW no longer utilizes Krb4 TGS_REQ messages to obtain 
Krb4 TGTs.  I am
proposing the following api:

    krb5_error   krb5_get_debug(krb5_context ctx, uint32 *debug_mask)
    krb5_error   krb5_set_debug(krb5_context ctx, uint32 debug_mask)

A mask is used to allow different qualities of debugging messages to be 
At first we will probably define a small number of types.  Perhaps

    KRB5_DEBUG_NONE   0x0
    KRB5_DEBUG_TGS    0x1
    KRB5_DEBUG_AP     0x2
The debugging mode will be stored within the krb5_context.
The initial value of the debugging mode will be read from the profile:
        debug_mask = 3
        debug_log  = FILE:<path>

The actual debug statements themselves will be of the form

     krb5int_debug_message(krb5_context ctx, char * fmt, ...)

Each platform will define its own implementation of krb5int_debug_message()
as needed.   The Windows version will behave similar to the existing Krb4
interface.  The Unix version could either write messages to a log file,
to stderr, or to the syslog() api.

Comments would be appreciated.


Jeffrey Altman

More information about the krbdev mailing list