On 10/05/2017 07:52 AM, Harald Barth wrote:
> And because the return code ret is the same as the error_code in the
> context, krb5_get_error_message() just copies the string from the
> context. However, if krb5_get_error_message() does its own lookup of
> -1765328383 it gets "Client's entry in database has expired" which is
> more like it. But where does "No ENC-TS found" come from and why is it
> "better" than the own lookup?

I didn't find anything like "No ENC-TS found" in the Heimdal source
code, so my best guess is that this is coming from
rd_error.c:krb5_error_from_rd_error() which does:

    ret = error->error_code;
    if (error->e_text != NULL) {
        krb5_set_error_message(context, ret, "%s", *error->e_text);
    } ...

If my theory is correct, the KDC is sending unhelpful e_text and/or
Heimdal is too trusting in using the e_text in preference to the string
corresponding to the error code.  In this case, concatenating the error
code string with the e_text would produce a better result but not an
ideal one, as "No ENC-TS found" shouldn't appear in the error message at

Reply via email to