Nobody responded about why this was done this way, so looking into the
auth_krb5.c file, I see that there were places where exactly what I
suggested were done. Attached is a patch to extend that to all the
places it would be useful.
- Frank
On Thu, 6 Apr 2017 at 10:57am, Frank Swasey wrote:
Is there a specific reason that when krb5_get_init_creds_password fails the
railure code is all that is logged in syslog? That negative number appears
to be useless all alone.
From reading the krb5 docs, it would seem the correct response would be to
call syslog as:
syslog(LOG_ERR, "auth_krb5: krb5_get_init_creds_password: %s",
krb5_get_error_message(context, code));
and then destroy the ccache, auth_user and context. Instead of destroying
the bits and then logging just the code as a negative number.
Have I missed some bit of information about why this is done?
--
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)
From 14fc3335ce2960501c226cf704fd152f290514a2 Mon Sep 17 00:00:00 2001
From: Francis Swasey <Frank.Swasey@xxxxxxx>
Date: Thu, 6 Apr 2017 12:15:07 -0400
Subject: [PATCH] Use krb5_get_error_message and print a (possibly extended)
error message.
---
saslauthd/auth_krb5.c | 33 +++++++++++++++++----------------
1 file changed, 17 insertions(+), 16 deletions(-)
diff --git a/saslauthd/auth_krb5.c b/saslauthd/auth_krb5.c
index cfba96e..a29b064 100644
--- a/saslauthd/auth_krb5.c
+++ b/saslauthd/auth_krb5.c
@@ -257,13 +257,14 @@ auth_krb5 (
#else /* !KRB5_HEIMDAL */
-static void k5support_log_err(krb5_context context,
+static void k5support_log_err(int priority,
+ krb5_context context,
krb5_error_code code,
char const *msg)
{
const char *k5_msg = krb5_get_error_message(context, code);
- syslog(LOG_DEBUG, "auth_krb5: %s: %s (%d)\n", msg, k5_msg, code);
+ syslog(priority, "auth_krb5: %s: %s (%d)\n", msg, k5_msg, code);
krb5_free_error_message(context, k5_msg);
}
@@ -284,20 +285,20 @@ static int k5support_verify_tgt(krb5_context context,
if ((k5_retcode = krb5_sname_to_principal(context, NULL, verify_principal,
KRB5_NT_SRV_HST, &server))) {
- k5support_log_err(context, k5_retcode, "krb5_sname_to_principal()");
+ k5support_log_err(LOG_DEBUG, context, k5_retcode, "krb5_sname_to_principal()");
return 0;
}
if (keytabname) {
if ((k5_retcode = krb5_kt_resolve(context, keytabname, &kt))) {
- k5support_log_err(context, k5_retcode, "krb5_kt_resolve()");
+ k5support_log_err(LOG_DEBUG, context, k5_retcode, "krb5_kt_resolve()");
goto fini;
}
}
if ((k5_retcode = krb5_kt_read_service_key(context, kt, server, 0,
0, &keyblock))) {
- k5support_log_err(context, k5_retcode, "krb5_kt_read_service_key()");
+ k5support_log_err(LOG_DEBUG, context, k5_retcode, "krb5_kt_read_service_key()");
goto fini;
}
@@ -315,7 +316,7 @@ static int k5support_verify_tgt(krb5_context context,
if ((k5_retcode = krb5_mk_req(context, &auth_context, 0, verify_principal,
thishost, NULL, ccache, &packet))) {
- k5support_log_err(context, k5_retcode, "krb5_mk_req()");
+ k5support_log_err(LOG_DEBUG, context, k5_retcode, "krb5_mk_req()");
}
if (auth_context) {
@@ -329,7 +330,7 @@ static int k5support_verify_tgt(krb5_context context,
if ((k5_retcode = krb5_rd_req(context, &auth_context, &packet,
server, NULL, NULL, NULL))) {
- k5support_log_err(context, k5_retcode, "krb5_rd_req()");
+ k5support_log_err(LOG_DEBUG, context, k5_retcode, "krb5_rd_req()");
goto fini;
}
@@ -392,9 +393,9 @@ auth_krb5 (
return strdup("NO saslauthd principal name error");
}
- if (krb5_parse_name (context, principalbuf, &auth_user)) {
+ if (code = krb5_parse_name (context, principalbuf, &auth_user)) {
+ k5support_log_err(LOG_ERR, context, code, "krb5_parse_name()");
krb5_free_context(context);
- syslog(LOG_ERR, "auth_krb5: krb5_parse_name");
return strdup("NO saslauthd internal error");
}
@@ -403,17 +404,17 @@ auth_krb5 (
return strdup("NO saslauthd internal error");
}
- if (krb5_cc_resolve(context, tfname, &ccache)) {
+ if (code = krb5_cc_resolve(context, tfname, &ccache)) {
+ k5support_log_err(LOG_ERR, context, code, "krb5_cc_resolve()");
krb5_free_principal(context, auth_user);
krb5_free_context(context);
- syslog(LOG_ERR, "auth_krb5: krb5_cc_resolve");
return strdup("NO saslauthd internal error");
}
- if (krb5_cc_initialize (context, ccache, auth_user)) {
+ if (code = krb5_cc_initialize (context, ccache, auth_user)) {
+ k5support_log_err(LOG_ERR, context, code, "krb5_cc_initialize()");
krb5_free_principal(context, auth_user);
krb5_free_context(context);
- syslog(LOG_ERR, "auth_krb5: krb5_cc_initialize");
return strdup("NO saslauthd internal error");
}
@@ -423,19 +424,19 @@ auth_krb5 (
if ((code = krb5_get_init_creds_password(context, &creds,
auth_user, password, NULL, NULL,
0, NULL, &opts))) {
+ k5support_log_err(LOG_ERR, context, code, "krb5_get_init_creds_password()");
krb5_cc_destroy(context, ccache);
krb5_free_principal(context, auth_user);
krb5_free_context(context);
- syslog(LOG_ERR, "auth_krb5: krb5_get_init_creds_password: %d", code);
return strdup("NO saslauthd internal error");
}
/* at this point we should have a TGT. Let's make sure it is valid */
- if (krb5_cc_store_cred(context, ccache, &creds)) {
+ if (code = krb5_cc_store_cred(context, ccache, &creds)) {
+ k5support_log_err(LOG_ERR, context, code, "krb5_cc_store_cred()");
krb5_free_principal(context, auth_user);
krb5_cc_destroy(context, ccache);
krb5_free_context(context);
- syslog(LOG_ERR, "auth_krb5: krb5_cc_store_cred");
return strdup("NO saslauthd internal error");
}
--
2.11.0 (Apple Git-81)
