On Wed, Aug 13, 2008 at 03:07:55PM -0400, Timo Sirainen wrote: >> + auth_request_log_info(request, "gssapi", >> + "Using all keytab entires"); > > I'm beginning to wonder about the logging in the code though. To me it > looks like all of these should rather be log_debug instead of log_info. And > I don't see any log_infos for logging why the user login actually failed > (does gssapi even tell anything about it?). Or debug logging about what the > usernames are when trying to log in. And the GSSAPI errors probably should > be logged with log_info instead of log_error, because they probably aren't > errors that the sysadmin can do anything about, but rather some client > misconfiguration or a client bug (at least after the initial configuration > is done and working).
Well, I am not an expert on gssapi, but there are definately failures due to administrator misconfiguration and some are the users fault. For instance any failure from obtain_service_credentials is a configuration error. Failures due to service credential mismatch, encryption type mismatch, etc are also configuration errors, but they occure later in the process.. To be honest nobody seems to do a super job of logging kerberos messages. The erro messages from the library are terse and contain no information from the packet. Debugging a service principle name mismatch is a royal pain. The log in my patch probably should be log debug, I just copied the log level from the existing 'Obtaining credentials' message. They are not important unles someone is debugging. Thanks, Jason