Debugging API for krb5
jaltman at columbia.edu
Thu Feb 5 03:32:28 EST 2004
I would like to start a discussion on the subject of a debugging api for
use with the krb5 library.
The goal is to provide an api which can be used by Kerberos aware
applications to activate logging information
which can in turn be used for debugging and diagnoses of application
The Windows krb4 library has for a long time possessed a very simple
(perhaps primitive) mechanism which
allowed applications to turn on debugging. Debug messages would be sent
to (either the "Debug Window"
of the Leash Ticket Manager OR to the Windows Debugger Output display)
AND written to a log file
placed in the directory specified by the TEMP or TMP environment
variables. This capability has allowed
the MIT help desk to support users when there have been problems
obtaining Ticket Getting Tickets or
application service tickets (in some instances).
The lack of similar support in the Krb5 libraries has hampered the
ability of the Help Desk to diagnose
problems now that KfW no longer utilizes Krb4 TGS_REQ messages to obtain
Krb4 TGTs. I am
proposing the following api:
krb5_error krb5_get_debug(krb5_context ctx, uint32 *debug_mask)
krb5_error krb5_set_debug(krb5_context ctx, uint32 debug_mask)
A mask is used to allow different qualities of debugging messages to be
At first we will probably define a small number of types. Perhaps
The debugging mode will be stored within the krb5_context.
The initial value of the debugging mode will be read from the profile:
debug_mask = 3
debug_log = FILE:<path>
The actual debug statements themselves will be of the form
krb5int_debug_message(krb5_context ctx, char * fmt, ...)
Each platform will define its own implementation of krb5int_debug_message()
as needed. The Windows version will behave similar to the existing Krb4
interface. The Unix version could either write messages to a log file,
to stderr, or to the syslog() api.
Comments would be appreciated.
More information about the krbdev