What to do when ~/.krb5/config or some other file in the config file path is not available

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

What to do when ~/.krb5/config or some other file in the config file path is not available

Harald Barth-2

When ~/.krb5/config is not available (AFS) many kerberos commands like
klist and afslog abort.

open("/afs/nada.kth.se/home/w/whatever/.krb5/config", O_RDONLY) = -1 ENODEV (No such device)
write(2, "klist: ", 7klist: )                  = 7
write(2, "krb5_init_context failed: 19", 28krb5_init_context failed: 19) = 28
write(2, "\n", 1
)                       = 1
exit_group(1)                           = ?
+++ exited with 1 +++

This seems to some clause in ./lib/krb5/context.c where ENODEV is
considered fatal (ENOENT, EACCES, EPERM are not). Is there
some reasoning behind what error is "fatal" and what not?

krb5_set_config_files(krb5_context context, char **filenames)
{
    krb5_error_code ret;
    krb5_config_binding *tmp = NULL;
    while(filenames != NULL && *filenames != NULL && **filenames != '\0') {
        ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
        if(ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM) {
            krb5_config_file_free(context, tmp);
            return ret;
        }
        filenames++;
    }
#

Harald.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: What to do when ~/.krb5/config or some other file in the config file path is not available

Nico Williams
On Thu, Mar 16, 2017 at 04:09:58PM +0100, Harald Barth wrote:

> When ~/.krb5/config is not available (AFS) many kerberos commands like
> klist and afslog abort.
>
> open("/afs/nada.kth.se/home/w/whatever/.krb5/config", O_RDONLY) = -1 ENODEV (No such device)
> write(2, "klist: ", 7klist: )                  = 7
> write(2, "krb5_init_context failed: 19", 28krb5_init_context failed: 19) = 28
> write(2, "\n", 1
> )                       = 1
> exit_group(1)                           = ?
> +++ exited with 1 +++
>
> This seems to some clause in ./lib/krb5/context.c where ENODEV is
> considered fatal (ENOENT, EACCES, EPERM are not). Is there
> some reasoning behind what error is "fatal" and what not?

Probably just "what the author could think of at the time".  ENODEV is
not listed in the standard's man page for open(), so it's not surprising
they missed that.  ENOTDIR, ELOOP and ENAMETOOLONG should also be
tolerated (it's "misconfiguration").  Maybe even ENXIO and EOVERFLOW.

Nico
--
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: What to do when ~/.krb5/config or some other file in the config file path is not available

Gabor Gombas-2
On Thu, Mar 16, 2017 at 10:37:43AM -0500, Nico Williams wrote:

> > This seems to some clause in ./lib/krb5/context.c where ENODEV is
> > considered fatal (ENOENT, EACCES, EPERM are not). Is there
> > some reasoning behind what error is "fatal" and what not?
>
> Probably just "what the author could think of at the time".  ENODEV is
> not listed in the standard's man page for open(), so it's not surprising
> they missed that.  ENOTDIR, ELOOP and ENAMETOOLONG should also be
> tolerated (it's "misconfiguration").  Maybe even ENXIO and EOVERFLOW.

But why bother? The message shown to the user is rather unhelpful -
without re-running the command through strace, it is impossible to know
which config file caused the error anyway. I think the only special case
is ENOENT which is "business as usual" - anything else should be
reported to the user for diagnosis (and the message should contain the
filename), but then the code should just continue. Reporting may be
slightly difficult here, because the logging setup may depend on the
configuration which has not been read yet...

Gabor
Loading...