saslauthd/auth_krb5 krb5_get_init_creds_password failure
Frank Swasey
Frank.Swasey at uvm.edu
Wed Apr 12 14:33:59 EDT 2017
Nobody responded about why this was done this way, so looking into the
auth_krb5.c file, I see that there were places where exactly what I
suggested were done. Attached is a patch to extend that to all the
places it would be useful.
- Frank
On Thu, 6 Apr 2017 at 10:57am, Frank Swasey wrote:
> Is there a specific reason that when krb5_get_init_creds_password fails the
> railure code is all that is logged in syslog? That negative number appears
> to be useless all alone.
>
> From reading the krb5 docs, it would seem the correct response would be to
> call syslog as:
>
> syslog(LOG_ERR, "auth_krb5: krb5_get_init_creds_password: %s",
> krb5_get_error_message(context, code));
>
> and then destroy the ccache, auth_user and context. Instead of destroying
> the bits and then logging just the code as a negative number.
>
> Have I missed some bit of information about why this is done?
>
>
--
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)
-------------- next part --------------
From 14fc3335ce2960501c226cf704fd152f290514a2 Mon Sep 17 00:00:00 2001
From: Francis Swasey <Frank.Swasey at uvm.edu>
Date: Thu, 6 Apr 2017 12:15:07 -0400
Subject: [PATCH] Use krb5_get_error_message and print a (possibly extended)
error message.
---
saslauthd/auth_krb5.c | 33 +++++++++++++++++----------------
1 file changed, 17 insertions(+), 16 deletions(-)
diff --git a/saslauthd/auth_krb5.c b/saslauthd/auth_krb5.c
index cfba96e..a29b064 100644
--- a/saslauthd/auth_krb5.c
+++ b/saslauthd/auth_krb5.c
@@ -257,13 +257,14 @@ auth_krb5 (
#else /* !KRB5_HEIMDAL */
-static void k5support_log_err(krb5_context context,
+static void k5support_log_err(int priority,
+ krb5_context context,
krb5_error_code code,
char const *msg)
{
const char *k5_msg = krb5_get_error_message(context, code);
- syslog(LOG_DEBUG, "auth_krb5: %s: %s (%d)\n", msg, k5_msg, code);
+ syslog(priority, "auth_krb5: %s: %s (%d)\n", msg, k5_msg, code);
krb5_free_error_message(context, k5_msg);
}
@@ -284,20 +285,20 @@ static int k5support_verify_tgt(krb5_context context,
if ((k5_retcode = krb5_sname_to_principal(context, NULL, verify_principal,
KRB5_NT_SRV_HST, &server))) {
- k5support_log_err(context, k5_retcode, "krb5_sname_to_principal()");
+ k5support_log_err(LOG_DEBUG, context, k5_retcode, "krb5_sname_to_principal()");
return 0;
}
if (keytabname) {
if ((k5_retcode = krb5_kt_resolve(context, keytabname, &kt))) {
- k5support_log_err(context, k5_retcode, "krb5_kt_resolve()");
+ k5support_log_err(LOG_DEBUG, context, k5_retcode, "krb5_kt_resolve()");
goto fini;
}
}
if ((k5_retcode = krb5_kt_read_service_key(context, kt, server, 0,
0, &keyblock))) {
- k5support_log_err(context, k5_retcode, "krb5_kt_read_service_key()");
+ k5support_log_err(LOG_DEBUG, context, k5_retcode, "krb5_kt_read_service_key()");
goto fini;
}
@@ -315,7 +316,7 @@ static int k5support_verify_tgt(krb5_context context,
if ((k5_retcode = krb5_mk_req(context, &auth_context, 0, verify_principal,
thishost, NULL, ccache, &packet))) {
- k5support_log_err(context, k5_retcode, "krb5_mk_req()");
+ k5support_log_err(LOG_DEBUG, context, k5_retcode, "krb5_mk_req()");
}
if (auth_context) {
@@ -329,7 +330,7 @@ static int k5support_verify_tgt(krb5_context context,
if ((k5_retcode = krb5_rd_req(context, &auth_context, &packet,
server, NULL, NULL, NULL))) {
- k5support_log_err(context, k5_retcode, "krb5_rd_req()");
+ k5support_log_err(LOG_DEBUG, context, k5_retcode, "krb5_rd_req()");
goto fini;
}
@@ -392,9 +393,9 @@ auth_krb5 (
return strdup("NO saslauthd principal name error");
}
- if (krb5_parse_name (context, principalbuf, &auth_user)) {
+ if (code = krb5_parse_name (context, principalbuf, &auth_user)) {
+ k5support_log_err(LOG_ERR, context, code, "krb5_parse_name()");
krb5_free_context(context);
- syslog(LOG_ERR, "auth_krb5: krb5_parse_name");
return strdup("NO saslauthd internal error");
}
@@ -403,17 +404,17 @@ auth_krb5 (
return strdup("NO saslauthd internal error");
}
- if (krb5_cc_resolve(context, tfname, &ccache)) {
+ if (code = krb5_cc_resolve(context, tfname, &ccache)) {
+ k5support_log_err(LOG_ERR, context, code, "krb5_cc_resolve()");
krb5_free_principal(context, auth_user);
krb5_free_context(context);
- syslog(LOG_ERR, "auth_krb5: krb5_cc_resolve");
return strdup("NO saslauthd internal error");
}
- if (krb5_cc_initialize (context, ccache, auth_user)) {
+ if (code = krb5_cc_initialize (context, ccache, auth_user)) {
+ k5support_log_err(LOG_ERR, context, code, "krb5_cc_initialize()");
krb5_free_principal(context, auth_user);
krb5_free_context(context);
- syslog(LOG_ERR, "auth_krb5: krb5_cc_initialize");
return strdup("NO saslauthd internal error");
}
@@ -423,19 +424,19 @@ auth_krb5 (
if ((code = krb5_get_init_creds_password(context, &creds,
auth_user, password, NULL, NULL,
0, NULL, &opts))) {
+ k5support_log_err(LOG_ERR, context, code, "krb5_get_init_creds_password()");
krb5_cc_destroy(context, ccache);
krb5_free_principal(context, auth_user);
krb5_free_context(context);
- syslog(LOG_ERR, "auth_krb5: krb5_get_init_creds_password: %d", code);
return strdup("NO saslauthd internal error");
}
/* at this point we should have a TGT. Let's make sure it is valid */
- if (krb5_cc_store_cred(context, ccache, &creds)) {
+ if (code = krb5_cc_store_cred(context, ccache, &creds)) {
+ k5support_log_err(LOG_ERR, context, code, "krb5_cc_store_cred()");
krb5_free_principal(context, auth_user);
krb5_cc_destroy(context, ccache);
krb5_free_context(context);
- syslog(LOG_ERR, "auth_krb5: krb5_cc_store_cred");
return strdup("NO saslauthd internal error");
}
--
2.11.0 (Apple Git-81)
More information about the Cyrus-sasl
mailing list