On Thu, Oct 05, 2017 at 12:28:29PM -0400, Jeffrey Hutzelman wrote: > Both, I think. kinit (and other clients) ought to report something > like "error_message (e_text)", unless the e_text is empty or the same > as the message for the error code. of course, more complex variations > are possible, what with both locally- and KDC-generated error codes > and additional messages. but just blindly using the e_text and nothing > else is clearly wrong.
Yes. (And let's not even get into how to localize e-text.) > That said, the KDC should not be sending this particular e_text in > this situation. I'll bet there's a loop that looks for suitable PA > data, and that message gets produced if it finishes without finding > any, even though the problem is something else entirely. I looked for that and couldn't find it. There's only one place where the string "ENC-TS" occurs; I could not find how it gets turned into "No ENC-TS found", now could I find a printf format string that would do that. Nico --
