saslauthd/auth_krb5 krb5_get_init_creds_password failure

Frank Swasey Frank.Swasey at uvm.edu
Wed Apr 12 14:33:59 EDT 2017


Nobody responded about why this was done this way, so looking into the 
auth_krb5.c file, I see that there were places where exactly what I 
suggested were done.  Attached is a patch to extend that to all the 
places it would be useful.

  - Frank

On Thu, 6 Apr 2017 at 10:57am, Frank Swasey wrote:

> Is there a specific reason that when krb5_get_init_creds_password fails the 
> railure code is all that is logged in syslog?  That negative number appears 
> to be useless all alone.
>
> From reading the krb5 docs, it would seem the correct response would be to 
> call syslog as:
>
> syslog(LOG_ERR, "auth_krb5: krb5_get_init_creds_password: %s",
> 	krb5_get_error_message(context, code));
>
> and then destroy the ccache, auth_user and context.  Instead of destroying 
> the bits and then logging just the code as a negative number.
>
> Have I missed some bit of information about why this is done?
>
>

-- 
Frank Swasey                    | http://www.uvm.edu/~fcs
Sr Systems Administrator        | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
   "I am not young enough to know everything." - Oscar Wilde (1854-1900)
-------------- next part --------------
From 14fc3335ce2960501c226cf704fd152f290514a2 Mon Sep 17 00:00:00 2001
From: Francis Swasey <Frank.Swasey at uvm.edu>
Date: Thu, 6 Apr 2017 12:15:07 -0400
Subject: [PATCH] Use krb5_get_error_message and print a (possibly extended)
 error message.

---
 saslauthd/auth_krb5.c | 33 +++++++++++++++++----------------
 1 file changed, 17 insertions(+), 16 deletions(-)

diff --git a/saslauthd/auth_krb5.c b/saslauthd/auth_krb5.c
index cfba96e..a29b064 100644
--- a/saslauthd/auth_krb5.c
+++ b/saslauthd/auth_krb5.c
@@ -257,13 +257,14 @@ auth_krb5 (
 
 #else /* !KRB5_HEIMDAL */
 
-static void k5support_log_err(krb5_context context,
+static void k5support_log_err(int priority,
+                              krb5_context context,
 			      krb5_error_code code,
 			      char const *msg)
 {
     const char *k5_msg = krb5_get_error_message(context, code);
 
-    syslog(LOG_DEBUG, "auth_krb5: %s: %s (%d)\n", msg, k5_msg, code);
+    syslog(priority, "auth_krb5: %s: %s (%d)\n", msg, k5_msg, code);
     krb5_free_error_message(context, k5_msg);
 }
 
@@ -284,20 +285,20 @@ static int k5support_verify_tgt(krb5_context context,
 
     if ((k5_retcode = krb5_sname_to_principal(context, NULL, verify_principal,
 					      KRB5_NT_SRV_HST, &server))) {
-	k5support_log_err(context, k5_retcode, "krb5_sname_to_principal()");
+	k5support_log_err(LOG_DEBUG, context, k5_retcode, "krb5_sname_to_principal()");
 	return 0;
     }
 
     if (keytabname) {
 	if ((k5_retcode = krb5_kt_resolve(context, keytabname, &kt))) {
-	    k5support_log_err(context, k5_retcode, "krb5_kt_resolve()");
+	    k5support_log_err(LOG_DEBUG, context, k5_retcode, "krb5_kt_resolve()");
 	    goto fini;
 	}
     }
     
     if ((k5_retcode = krb5_kt_read_service_key(context, kt, server, 0,
 					       0, &keyblock))) {
-	k5support_log_err(context, k5_retcode, "krb5_kt_read_service_key()");
+	k5support_log_err(LOG_DEBUG, context, k5_retcode, "krb5_kt_read_service_key()");
 	goto fini;
     }
     
@@ -315,7 +316,7 @@ static int k5support_verify_tgt(krb5_context context,
     
     if ((k5_retcode = krb5_mk_req(context, &auth_context, 0, verify_principal, 
 				  thishost, NULL, ccache, &packet))) {
-	k5support_log_err(context, k5_retcode, "krb5_mk_req()");
+	k5support_log_err(LOG_DEBUG, context, k5_retcode, "krb5_mk_req()");
     }
     
     if (auth_context) {
@@ -329,7 +330,7 @@ static int k5support_verify_tgt(krb5_context context,
     
     if ((k5_retcode = krb5_rd_req(context, &auth_context, &packet, 
 				  server, NULL, NULL, NULL))) {
-	k5support_log_err(context, k5_retcode, "krb5_rd_req()");
+	k5support_log_err(LOG_DEBUG, context, k5_retcode, "krb5_rd_req()");
 	goto fini;
     }
 
@@ -392,9 +393,9 @@ auth_krb5 (
 	return strdup("NO saslauthd principal name error");
     }
 
-    if (krb5_parse_name (context, principalbuf, &auth_user)) {
+    if (code = krb5_parse_name (context, principalbuf, &auth_user)) {
+	k5support_log_err(LOG_ERR, context, code, "krb5_parse_name()");
 	krb5_free_context(context);
-	syslog(LOG_ERR, "auth_krb5: krb5_parse_name");
 	return strdup("NO saslauthd internal error");
     }
     
@@ -403,17 +404,17 @@ auth_krb5 (
 	return strdup("NO saslauthd internal error");
     }
 
-    if (krb5_cc_resolve(context, tfname, &ccache)) {
+    if (code = krb5_cc_resolve(context, tfname, &ccache)) {
+	k5support_log_err(LOG_ERR, context, code, "krb5_cc_resolve()");
 	krb5_free_principal(context, auth_user);
 	krb5_free_context(context);
-	syslog(LOG_ERR, "auth_krb5: krb5_cc_resolve");
 	return strdup("NO saslauthd internal error");
     }
     
-    if (krb5_cc_initialize (context, ccache, auth_user)) {
+    if (code = krb5_cc_initialize (context, ccache, auth_user)) {
+	k5support_log_err(LOG_ERR, context, code, "krb5_cc_initialize()");
 	krb5_free_principal(context, auth_user);
 	krb5_free_context(context);
-	syslog(LOG_ERR, "auth_krb5: krb5_cc_initialize");
 	return strdup("NO saslauthd internal error");
     }
     
@@ -423,19 +424,19 @@ auth_krb5 (
     if ((code = krb5_get_init_creds_password(context, &creds, 
                                              auth_user, password, NULL, NULL, 
                                              0, NULL, &opts))) {
+	k5support_log_err(LOG_ERR, context, code, "krb5_get_init_creds_password()");
 	krb5_cc_destroy(context, ccache);
 	krb5_free_principal(context, auth_user);
 	krb5_free_context(context);
-	syslog(LOG_ERR, "auth_krb5: krb5_get_init_creds_password: %d", code);
 	return strdup("NO saslauthd internal error");
     }
     
     /* at this point we should have a TGT. Let's make sure it is valid */
-    if (krb5_cc_store_cred(context, ccache, &creds)) {
+    if (code = krb5_cc_store_cred(context, ccache, &creds)) {
+	k5support_log_err(LOG_ERR, context, code, "krb5_cc_store_cred()");
 	krb5_free_principal(context, auth_user);
 	krb5_cc_destroy(context, ccache);
 	krb5_free_context(context);
-	syslog(LOG_ERR, "auth_krb5: krb5_cc_store_cred");
 	return strdup("NO saslauthd internal error");
     }
     
-- 
2.11.0 (Apple Git-81)



More information about the Cyrus-sasl mailing list