Re: Make error messages more useful: add a URI (Roland Mainz)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: Make error messages more useful: add a URI (Roland Mainz)

Spike_White
Intranets have to have (at a minimum) a KDC.

So they could spin up a web server on that intranet and stage the URLs there.  Or (as
someone else suggested) use file://  URLs.

I'm a huge fan of whatever can provide more meaningful error messages.  I recently
spent about 3 weeks chasing down an obscure authentication failure.  It kept complaining
about "invalid principal".  So I'm double-checking, triple-checking this user principal.
All good.

KRB5_TRACE, etc was no help.

Finally, I ran an ancient KRB5 client on this host - which spat out more detailed meaningful
ancillary information.  It output the offending principal.  It was the host principal.  It was
looking up and finding the host in the local domain, not the remote (trusted) domain in which
the host resided.  Apparently, at one time in the far-distant past - this host had registered
in this domain.

I deleted the host principal in the local domain and then all worked.

I realize that modern KRB5 implementations display far less ancillary information than old versions.
I understand (due to internationalization/localization issues)  that's necessary, but it makes it far harder
to troubleshoot.  Especially in complex KRB5 topologies.

Spike
----------------------------------------------------------------------


1. Re: Make error messages more useful: add a URI (Roland Mainz)

Message: 1
Date: Mon, 6 Oct 2014 05:30:11 -0400 (EDT)
From: Roland Mainz
Subject: Re: Make error messages more useful: add a URI
To: Nico Williams
Cc: [hidden email]
Message-ID:

BTW: Three nits:
...

3. What about intranets with no connection to the outside "world" ?

----

Bye,
Roland

--
__ . . __
(o.\ \/ /.o) [hidden email]
\__\/\/__/ IPA/Kerberos5 team
/O /==\ O\
(;O/ \/ \O;)



_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev