|Date:||Tue, 13 May 2014 19:30:24 -0400|
|From:||Richard Basch <firstname.lastname@example.org>|
|Subject:||krb5-1.12 logging incomplete (PROCESS_TGS - Ticket expired)|
|CC:||"'Richard Basch'" <email@example.com>|
When a TGT has expired but is presented to the KDC, the KDC will log <unknown client> for server_principal@REALM, Ticket expired.
Though patches have already been adopted to correct the service principal logging (which was faulty in 1.11 & 1.12), the client principal is not properly decoded/displayed, especially in the “expired ticket” case. This can make diagnostics a little more challenging in some cases.
I don’t have a quick fix yet.
- Get a TGT
- Let it expire and then wait until after the “grace time”
- Attempt to get a service ticket (using TGS_REQ). I use “kvno” on a Linux 5 system which is compiled against the 1.6 libraries (1.12 client library detects the ticket is already expired without ever sending the request to the KDC).
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4577 / Virus Database: 3931/7469 - Release Date: 05/10/14