Return-Path: <basch@alum.mit.edu>
Received: from mta2.srv.hcvlny.cv.net (mta2.srv.hcvlny.cv.net [167.206.4.197]) by krbdev.mit.edu (Postfix) with ESMTP id D7D2C751DE for <rt-comment@krbdev.mit.edu>; Tue,  3 Jun 2014 18:51:29 -0400 (EDT)
Received: from tardis.internal.bright-prospects.com (ool-4a5a27d7.dyn.optonline.net [74.90.39.215]) by mta2.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) with ESMTP id <0N6M008FH7HTI550@mta2.srv.hcvlny.cv.net> for rt-comment@krbdev.mit.edu; Tue, 03 Jun 2014 18:51:29 -0400 (EDT)
Received: from BASCHT520 (basch-t520.internal.bright-prospects.com [192.168.15.61]) by tardis.internal.bright-prospects.com (Postfix) with ESMTPA id 013E98B07E; Tue, 03 Jun 2014 18:51:28 -0400 (EDT)
Date: Tue, 03 Jun 2014 18:51:31 -0400
From: Richard Basch <basch@alum.mit.edu>
Subject: RE: [krbdev.mit.edu #7910] krb5-1.12 logging incomplete (PROCESS_TGS - Ticket expired)
In-Reply-To: <rt-7910-40647.19.8294163446822@krbdev.mit.edu>
To: rt-comment@krbdev.mit.edu
CC: tlyu@mit.edu, ghudson@mit.edu, 'Richard Basch' <basch@alum.mit.edu>, kayla.c.harrison@gmail.com
Message-ID: <04fd01cf7f7e$5d6d3a40$1847aec0$@mit.edu>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 12.0
Content-Type: text/plain; charset=us-ascii
Content-Language: en-us
Content-Transfer-Encoding: 7BIT
Thread-Index: Ac9vqhQjr4G2NAxjT3CqPwzQcZ0e5AP1AT7Q
X-Antivirus: AVG for E-mail
X-Avg-ID: ID385BFC40-38DAA519
References: <rt-7910@krbdev.mit.edu> <rt-7910-40647.19.8294163446822@krbdev.mit.edu>
RT-Send-Cc: 
X-RT-Original-Encoding: us-ascii
Content-Length: 1444

Proposed patch:
https://github.com/rbasch/krb5/commit/fe8223afe3acf8749a1aed62044359bbf5bc6a
75
This is a little cleaner than the one I sent via private email a couple days
ago, though it is functionally equivalent.


-----Original Message-----
From: Tom Yu via RT [mailto:rt-comment@krbdev.mit.edu] 
Sent: Wednesday, May 14, 2014 3:21 PM
To: basch@alum.mit.edu
Subject: Re: [krbdev.mit.edu #7910] krb5-1.12 logging incomplete
(PROCESS_TGS - Ticket expired)

"Richard Basch via RT" <rt-comment@krbdev.mit.edu> writes:

> When a TGT has expired but is presented to the KDC, the KDC will log 
> <unknown client> for server_principal@REALM, Ticket expired.
>
> Though patches have already been adopted to correct the service 
> principal logging (which was faulty in 1.11 & 1.12), the client 
> principal is not properly decoded/displayed, especially in the 
> "expired ticket" case. This can make diagnostics a little more challenging
in some cases.

I agree that omitting the client name from that error can make diagnostics
challenging.  I think we've known about this issue for quite some time, but
haven't figured out a good way to fix it yet.

I would not expect fixing this to be easy.  As I recall, there would need to
be changes to the error paths in rd_req_decoded_opt() to preserve some of
the decrypted and decoded ticket contents, and we would consequently have to
work harder to correctly manage the associated memory allocations.