Question about aname_do_match behavior on invalid patten

Greg Hudson ghudson at
Tue Jan 24 11:43:24 EST 2017

On 01/23/2017 06:15 PM, Eric Diven wrote:
> When regcomp returns a non-zero result, aname_do_match returns
> KRB5_LNAME_NOTRANS. This seems like odd behavior for what appears to be an
> error in the krb5.conf file. Can somebody please explain the rationale
> behind this?

I don't think anyone can speak to the rationale behind this behavior as
it's very old.  Although I reorganized the code significantly in 1.12
when I added the localauth pluggable interface, that behavior dates back
to 1.0.  If you look at the an_to_ln.c code from back then, the behavior
could be explained by a kind of laziness; the code looks like "if
(!regcomp(...) && !regexec(...))" and similar for other regexp types.

I agree that it would be more helpful to KRB5_CONFIG_BADFORMAT, with an
extended error message explaining that the regexp is bad.  There is some
risk of breaking people's kind-of-working config files if we make that
change, but the risk might be acceptable.

More information about the krbdev mailing list