*Excellent* error message missing from newer krb5-libs versions...

Greg Hudson ghudson at MIT.EDU
Mon Apr 28 17:11:47 EDT 2014

On 04/27/2014 01:49 PM, Spike_White at dell.com wrote:
>             krb5_set_error_message(context, KRB5KRB_AP_WRONG_PRINC,
>                                    "Wrong principal in request (found %s, wanted %s)",
>                                    found_name, wanted_name);
> As you can see, that excellent krb5_set_error_message() call has been stripped out.
> Can that useful & descriptive error message be put back in please?

Two big things have changed in krb5_rd_req since 1.6: server principal
aliases[1] in 1.7 and flexible acceptor names[2] in 1.10.  Because of
these features, it's not as simple as adding back a simple diagnostic
like the one in 1.6.

But I agree that the current error result is much less helpful than it
should be, given how often administrators have to diagnose ticket
decryption failures.  I have put together a candidate patch series which
I hope will make it easier to diagnose of ticket decryption failures.
It is at:


but it may change significantly before it is pushed to the master branch.

[1] http://k5wiki.kerberos.org/wiki/Projects/Aliases
[2] http://k5wiki.kerberos.org/wiki/Projects/Acceptor_Names

More information about the krbdev mailing list