Re: [Cosign-discuss] Feature request, Heimdal support for error messages; was: Bug?: Unknown error when attempting login with expired client

Tue, 04 Mar 2008 03:28:05 -0800 

Tobias Franzén wrote:
> Tobias Franzén wrote:
>   
>> Hi.
>>
>> I'm using Cosign version 2.1.0rc1 with Apache 2.2.
>>
>> I have Heimdal Kerberos for authN (and have most other user info in 
>> LDAP). Setting the valid start and end properties to different times in 
>> the future and the past and trying to login with Cosign, I get an 
>> Unknown error when the client is not valid. It's the same message when 
>> the client is expired, or not yet valid. (I'm using the default Cosign 
>> template so far.)
>>
>> Web Login is Unavailable
>> Web Login is unavailable due to an internal error. We apologize for any 
>> inconvenience this may cause and are working to restore service as soon 
>> as possible. Please try again later.
>> Technical Info: Unknown error -1765328383
>>
>> Attempting to get a ticket with kinit results in "Client ([EMAIL PROTECTED]) 
>> expired" or "Client not yet valid - try again later".
>>   
>>     
> I see now that I was in error when I said both gave the same error 
> message. The above error is when the client has expired, and when the 
> client is not yet valid, the error code is -1765328363.
>
> >From 
> http://web.mit.edu/Kerberos/krb5-1.4/krb5-1.4.2/doc/krb5-admin/Kerberos-V5-Library-Error-Codes.html
> KRB5KDC_ERR_NAME_EXP: Client's entry in database has expired
> KRB5KDC_ERR_CLIENT_NOTYET: Client not yet valid - try again later
>
> This is consistent with the Krb5 error codes I found in my krb5_err.h.
>   
Scratch the bug part and see this as a feature request.

Passing the kerberos error codes to error_message() when using Heimdal 
is probably always returning "Unknown error" plus the error code.
I tried changing the error_message(kerror) after 
krb5_get_init_creds_password(...) in cgi/login.c to 
krb5_get_error_message(kcontext, kerror) for Heimdal, and it worked. I 
doubt it is compatible with MIT KRB5 though.

Here is an interesting patch for NFS to use a common error message 
function, instead of the MIT specific error_message().
http://linux-nfs.org/pipermail/nfsv4/2007-April/005944.html

/Tobias

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Cosign-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/cosign-discuss

Reply via email to