Notes on lost extended error messages for kinit -k

Nico Williams nico at cryptonector.com
Thu Jun 30 17:05:56 EDT 2011


On Thu, Jun 30, 2011 at 9:25 AM, Jeffrey Altman
<jaltman at secure-endpoints.com> wrote:
> On 6/30/2011 1:20 AM, ghudson at MIT.EDU wrote:
>> * Perhaps krb5_get_init_creds_keytab() should save the error message
>>   before the retry, and put it back if it decides to use ret instead
>>   of ret2.  Perhaps we want convenience functions to make this easier
>>   to do.
>>
>
> I think it is the responsibility of code such as this to save context
> and restore it as necessary.
>
> The krb5_get_init_creds_keytab() case is flawed for another reason.  The
> force retry to master call is made regardless of whether or not there is
> a master defined.  As a result it is impossible for
> krb5_get_init_creds_keytab() to know whether or not the error state from
> the second call is more or less meaningful than the first.
>
> If this code were to be restructured, I would have a function that
> determines whether or not there are masters defined and only make the
> second call if there are.  Secondly, the master list should be cached so
> that the cost of dns lookups is not repeated.

+1.  But also, there's something to be said for reporting (merging)
all the error cases in fallback handling when all fallbacks fail,
since two different errors might both be meaningful.  I grant that
fallbacks that fail differently are likely to be rare, but they would
still be useful to be able to observe.

Nico
--




More information about the krbdev mailing list