Proper way to do logging (KDC) from preauth plugin?

Jeff Blaine jblaine at
Thu Apr 22 11:59:31 EDT 2010

I have 1 plugin installed (mine).  It is never referenced
from what I can see stepping through gdb once a break
is hit on check_padata().  I did that just now based on
your reply.

 From what I can gather then, the non-plugin preauth
mech is working (verify_enc_timestamp() is called
and I have no plugin for enc challenge), so my plugin
is not referenced.  Does that sound like a reasonable

Any advice?  This preauth plugin must be called and
must succeed.

Thanks for the guidance so far.  Once I make some progress
(or I suppose even if I don't...), I'll update the wiki
with some notes from this exchange so the next person
has *something* to reference other than comment-less
source code :)

On 4/21/2010 11:18 PM, Greg Hudson wrote:
> On Wed, 2010-04-21 at 22:32 -0400, Jeff Blaine wrote:
>> kdc_verify_preauth() is never called according to this
>> (not for my plugin or any other):
> Here's what's expected to happen:
> * kinit sends an AS request with no preauth information.
> * The KDC sees the requires_preauth flag on the principal and returns an
> error with a list of possible preauth mechanisms (consulting each
> module's get_edata method).  The code path here is process_as_req()
> calling missing_required_preauth(), receiving a non-null status, and
> then calling get_preauth_hint_list().
> * kinit processes the hint list, possibly asking for the user's password
> or PIN.
> * kinit sends another AS request with preauthentication.
> * process_as_req() calls check_padata() to validate the
> preauthentication.  The modules which handle the preauthentication types
> in the packet have their verify_padata methods invoked, until one
> succeeds which is deemed "sufficient."

More information about the krbdev mailing list