[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Keytab "MEMORY" in error message

Here are a few keytab related novelties.

Perhaps lib/krb5/keytab.c:krb5_kt_get_entry around line 372 should have:

371         krb5_kt_get_name (context, id, kt_name, sizeof(kt_name));
372         krb5_enctype_to_string(context, enctype, &enctype_str);
            if (kt_name[0] == '\0')
                strcpy(kt_name, "MEMORY");
374         if (kvno)
375             snprintf(kvn...

Otherwise you get:

  Failed to find user@FOO.NET(kvno 1) in keytab  (des-cbc-crc)

as opposed to the superior: 

  Failed to find user@FOO.NET(kvno 1) in keytab MEMORY (des-cbc-crc)

Also, I would like to mention a very very minor issue related to the
message above.

If lib/krb5/get_in_tkt.c:init_as_req is called with krb5_kt_get_entry
as key_proc and it does not find the desired key, the enctype listed
in the error message will likely (always?) be 'des-cbc-crc'. This is
because it may search through archfour-hmac-md5, des-cbc-md5 and finally
des-cbc-crc. So because des-cbc-crc is always last, it is what always
appears in the error text.

Anyway, my thought is that this very common error is a little
confusing. It's perfectly correct behavior but to an operator debugging a
program, it will be a little confusing. If I was using archfour-hmac-md5
and I saw 'des-cbc-crc' I would think that perhaps some keys were old
or messed up somewhere.

The ideal message IMHO would be something like:

  Failed to find user@FOO.NET in keytab MEMORY with kvno 1 and enctype
  archfour-hmac-md5, des-cbc-md5 or des-cbc-crc.

I realize the state of the error is lost with each call to key_proc but
if you're remotely interested in a patch I think I could add something
at the end of the if(preauth != NULL) { clause in init_as_req.

I don't suspect you'll want to bother but I didn't think it could hurt
to try :-)


Michael B Allen
PHP Active Directory SSO