Make error messages more useful: add a URI (Roland Mainz)
Spike_White@dell.com
Spike_White at dell.com
Mon Oct 6 13:27:42 EDT 2014
Intranets have to have (at a minimum) a KDC.
So they could spin up a web server on that intranet and stage the URLs there. Or (as
someone else suggested) use file:// URLs.
I'm a huge fan of whatever can provide more meaningful error messages. I recently
spent about 3 weeks chasing down an obscure authentication failure. It kept complaining
about "invalid principal". So I'm double-checking, triple-checking this user principal.
All good.
KRB5_TRACE, etc was no help.
Finally, I ran an ancient KRB5 client on this host - which spat out more detailed meaningful
ancillary information. It output the offending principal. It was the host principal. It was
looking up and finding the host in the local domain, not the remote (trusted) domain in which
the host resided. Apparently, at one time in the far-distant past - this host had registered
in this domain.
I deleted the host principal in the local domain and then all worked.
I realize that modern KRB5 implementations display far less ancillary information than old versions.
I understand (due to internationalization/localization issues) that's necessary, but it makes it far harder
to troubleshoot. Especially in complex KRB5 topologies.
Spike
----------------------------------------------------------------------
1. Re: Make error messages more useful: add a URI (Roland Mainz)
Message: 1
Date: Mon, 6 Oct 2014 05:30:11 -0400 (EDT)
From: Roland Mainz
Subject: Re: Make error messages more useful: add a URI
To: Nico Williams
Cc: krbdev at mit.edu
Message-ID:
BTW: Three nits:
...
3. What about intranets with no connection to the outside "world" ?
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) rmainz at redhat.com
\__\/\/__/ IPA/Kerberos5 team
/O /==\ O\
(;O/ \/ \O;)
More information about the krbdev
mailing list