Resending (reformatted to avoid line break in middle of URL).

Proposed fix:

https://github.com/rbasch/krb5/commit/fe8223afe3acf8749a1aed62044359bbf5bc6a
75


-----Original Message-----
From: Tom Yu via RT [mailto:rt-comment@krbdev.mit.edu]
Sent: Wednesday, May 14, 2014 3:21 PM
To: basch@alum.mit.edu
Subject: Re: [krbdev.mit.edu #7910] krb5-1.12 logging incomplete
(PROCESS_TGS - Ticket expired)

"Richard Basch via RT" <rt-comment@krbdev.mit.edu> writes:

> When a TGT has expired but is presented to the KDC, the KDC will log 
> <unknown client> for server_principal@REALM, Ticket expired.
>
> Though patches have already been adopted to correct the service 
> principal logging (which was faulty in 1.11 & 1.12), the client 
> principal is not properly decoded/displayed, especially in the 
> "expired ticket" case. This can make diagnostics a little more 
> challenging
in some cases.

I agree that omitting the client name from that error can make diagnostics
challenging.  I think we've known about this issue for quite some time, but
haven't figured out a good way to fix it yet.

I would not expect fixing this to be easy.  As I recall, there would need to
be changes to the error paths in rd_req_decoded_opt() to preserve some of
the decrypted and decoded ticket contents, and we would consequently have to
work harder to correctly manage the associated memory allocations.