Notes on lost extended error messages for kinit -k
Jeffrey Altman
jaltman at secure-endpoints.com
Thu Jun 30 10:25:59 EDT 2011
On 6/30/2011 1:20 AM, ghudson at MIT.EDU wrote:
> * Perhaps krb5_get_init_creds_keytab() should save the error message
> before the retry, and put it back if it decides to use ret instead
> of ret2. Perhaps we want convenience functions to make this easier
> to do.
>
I think it is the responsibility of code such as this to save context
and restore it as necessary.
The krb5_get_init_creds_keytab() case is flawed for another reason. The
force retry to master call is made regardless of whether or not there is
a master defined. As a result it is impossible for
krb5_get_init_creds_keytab() to know whether or not the error state from
the second call is more or less meaningful than the first.
If this code were to be restructured, I would have a function that
determines whether or not there are masters defined and only make the
second call if there are. Secondly, the master list should be cached so
that the cost of dns lookups is not repeated.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20110630/de2bdf66/attachment.bin
More information about the krbdev
mailing list