Make error messages more useful: add a URI (Roland Mainz) Spike_White at
Mon Oct 6 13:27:42 EDT 2014

Intranets have to have (at a minimum) a KDC.

So they could spin up a web server on that intranet and stage the URLs there.  Or (as
someone else suggested) use file://  URLs.

I'm a huge fan of whatever can provide more meaningful error messages.  I recently
spent about 3 weeks chasing down an obscure authentication failure.  It kept complaining
about "invalid principal".  So I'm double-checking, triple-checking this user principal.
All good.

KRB5_TRACE, etc was no help.

Finally, I ran an ancient KRB5 client on this host - which spat out more detailed meaningful
ancillary information.  It output the offending principal.  It was the host principal.  It was
looking up and finding the host in the local domain, not the remote (trusted) domain in which
the host resided.  Apparently, at one time in the far-distant past - this host had registered
in this domain.

I deleted the host principal in the local domain and then all worked.

I realize that modern KRB5 implementations display far less ancillary information than old versions.
I understand (due to internationalization/localization issues)  that's necessary, but it makes it far harder
to troubleshoot.  Especially in complex KRB5 topologies.


1. Re: Make error messages more useful: add a URI (Roland Mainz)

Message: 1
Date: Mon, 6 Oct 2014 05:30:11 -0400 (EDT)
From: Roland Mainz
Subject: Re: Make error messages more useful: add a URI
To: Nico Williams
Cc: krbdev at

BTW: Three nits:

3. What about intranets with no connection to the outside "world" ?



__ . . __
(o.\ \/ /.o) rmainz at
\__\/\/__/ IPA/Kerberos5 team
/O /==\ O\
(;O/ \/ \O;)

More information about the krbdev mailing list