>KRB5KRB_AP_ERR_TKT_EXPIRED /* ticket was expired */
I can't see a "good" thing to do here, other than perhaps prompt the user
for a new password to get a new TGT (assuming that this application can even
do that). If the ticket is expired, getting a new one with the same
credentials won't help.
>KRB5KRB_AP_ERR_BAD_INTEGRITY /* can't decrypt */
>KRB5KRB_AP_ERR_BADKEYVER /* they can't find the right key */
>
>It pretty strongly suggests that something is hosed with the
>ticket we used to create the AP-REQ, and that maybe we should
>try to get a fresh one. However, short of completely nuking
>the current credential cache, I don't see that there's a
>very easy way to kill off the offending credentials in
>the credential cache.
>
>Am I missing something? How do other applications
>deal with these sort of errors (other than
>complaining to the user)?
In general, when I've gotten the above errors, it's been the case
of a system misconfiguration; getting a new ticket in the above
cases wouldn't have helped the situation. There _has_ been the
rare instance where a machine has been rekeyed and we forgot/couldn't
save the old key in the keytab; getting rid of the credential would
have fixed the situation for affected users ... but that happens
_so_ rarely in my experience that it's never been worth dealing
with in application code. YMMV.
--Ken
