*Excellent* error message missing from newer krb5-libs versions...
Greg Hudson
ghudson at MIT.EDU
Mon Apr 28 17:11:47 EDT 2014
On 04/27/2014 01:49 PM, Spike_White at dell.com wrote:
> krb5_set_error_message(context, KRB5KRB_AP_WRONG_PRINC,
> "Wrong principal in request (found %s, wanted %s)",
> found_name, wanted_name);
[...]
> As you can see, that excellent krb5_set_error_message() call has been stripped out.
> Can that useful & descriptive error message be put back in please?
Two big things have changed in krb5_rd_req since 1.6: server principal
aliases[1] in 1.7 and flexible acceptor names[2] in 1.10. Because of
these features, it's not as simple as adding back a simple diagnostic
like the one in 1.6.
But I agree that the current error result is much less helpful than it
should be, given how often administrators have to diagnose ticket
decryption failures. I have put together a candidate patch series which
I hope will make it easier to diagnose of ticket decryption failures.
It is at:
https://github.com/krb5/krb5/pull/108
but it may change significantly before it is pushed to the master branch.
[1] http://k5wiki.kerberos.org/wiki/Projects/Aliases
[2] http://k5wiki.kerberos.org/wiki/Projects/Acceptor_Names
More information about the krbdev
mailing list