Well, Tim, as one who knows the full truth, perhaps you can fill us
in, now that CyberSafe has completely ceased operations. No press
release. And no, I am not pleased with the outcome.
I'm just curious where you heard that Cybersafe has completely
tanked; I admit that I was starting to wonder
Yes, they're gone. On the other hand, the UK guys seem to still be
kicking.
But they UK guys's web page says that they're only license to sell
CyberSafe products in markets outside of North America, so I'm not sure
that will help existing customers.
--Ken
- login.krb5 uses this order, and so does every other login I've
looked at. One of us is reading backwards
Hm, I misread login.krb5. But it's actually more complicated than
that;' As long as it's not a root account, login.krb5 will try
both. So if your Unix password matches your Kerberos
The way principal is used by Kerberos is, as far as I know, specific
to Kerberos. The definition always needs to be explained to English
speakers, too. I'd never heard ken's etymology before, but it also
seems pretty circular.
I seem to recall it from the mountains of documentation I read over
I am aware of no widely deployed Kerberos applications without
authorization support.
pam_krb5?
You have to be in the Unix password file for pam_krb5 to give you access
to a machine. At least, any pam_krb5 implementation I've ever seen works
that way. And assuming you could login as
Sadly, it looks like LDAP uses the hostname of the server, which is
probably not what you really want.
I'm not sure in the context of SASL it's possible to do anything else.
--Ken
I am kinda new to kerberos and started to play with ldap / kerberos to
get a single-sign-on running for Windows and Unix/Linux-Clients.
Right now I am unsure which kerberos implementation to choose. I've
checked the FAQ, searched groups.google - without finding pros and cons
of the MIT | Cygnus
(a dictionary attack on an
encrypted timestamp is a brute force attack with known plaintext and
known ciphertext)
No. Dictionary attacks and brute force attacks are very different
things. The keyspaces are quite different. We worry about dictionary
attacks. We don't worry so much (yet)
Culture, nothing. Our neural structure itself is against us. I
simply can't learn a really strong password within a really strong
expiration interval. I'll have to write it down. Poof! there goes
the security of strong passwords changed frequently.
So call it a passphrase; that seems to
I think you'll need to make sure that you're using a _modern_ version of
Berkeley DB, rather than what comes with MIT Kerberos.
Years ago, Cygnus tested the BDB code in Kerbnet with a million
principal database. We did not observe any problems (well, we fixed
the ones we observed :-). That
No, that's the whole point... If using sudo/su/ksu, then it
works. But I have two 'help admins' (ie, ordinary users which
help out with bits and pieces) that I don't want to give
sudo/su rights to...
Andreas Then you can't use kdamin.local, just kadmin. Have them
(6) Salts have some interesting properties. In Unix, the salt is generally
regarded as a secret, which can be securely commmunicated to
the login application. In Kerberos, the salt is public
information. Worse yet, the client doesn't generally have any
good way to
Put simply, delegating to a server is a dangerous business. We require
MUTUAL_AUTH to ensure that you're really delegating to the correct,
intended entity.
And to further follow up to the original message
Is there any reason to _NOT_ do mutual authentication?
--Ken
Kerberos FAQ states its possible (althoug does not recommend)
we can refer foreign principals giving them rights in kadm5.acl
file if we trust foreign KDC.
Are you sure it says that? As the author of the Kerberos FAQ, I can't
find that (it does mention about ACLs, but doesn't specifically
A client has asked us to Kerberize our product. I have looked through
the FAQ's and Web sites and I understand what is going on.
But I have been unable to find a guide, manual, or example on how to
Kerberize the code for an application.
Most of the Unix-based Kerberos distributions include
When we use kinit to get the service ticket for a host, then it will not
send TGS_REQ but sends AS_REQ to the KDC.
$ ./kinit -S [EMAIL PROTECTED]
Password for [EMAIL PROTECTED]:
Yes, that's correct. It's supposed to. Note that I suspect you're
misunderstanding the use of the -S flag ... it's
I am trying to develop a telnet client application,
You should probably look at other Kerberos telnet clients as examples ...
IAC SB AUTHENTICATION IS authentication-type-pair AUTH Kerberos V5
KRB_AP_REQ message IAC SE
But I can't implement this RFC 2942 procedure in hexa type just like
I have a running MIT kerberos V server (on Linux), and I wanted to
raise the ticket lifetime for the Tgt's.
I raised the maximum ticket life for that principal in kadmin.
Did you just raise the max lifetime of the tgt principal, or the client
principal, or both? (You need to do both). And
kinit -l 24h gives longer tickets by now. But kinit (without options)
or pam do not.
Make sure that kinit -l 300h shows a longer ticket lifetime as well;
maybe PAM isn't picking up those entries.
This seems to be a client-side issue by now. Where does kinit takes it
defaults from?
I think
'abel' is the main server, it has a cname of 'kerberos'. 'weber' is one
of the secondaries, cname kerberos-2.
For some reason its trying to find the canonical hostname of the
machine. The installation manual said it should work with CNAMES..
I think you misread the manual. In Kerberos you
Hmm. To quote the manual:
MIT recommends that your KDCs have a predefined set of CNAME records
(DNS hostname aliases), such as kerberos for the master KDC and
kerberos-1, kerberos-2, ... for the slave KDCs. This way, if you need to
swap a machine, you only need to change a DNS entry, rather than
I am not creating a service ticket (unless kprop is doing it behind the
scenes). These are just the pricipals for the KDC's, to quote the
manual again:
Those things you've been adding are what I've been talking about (but really
better termology is service principals).
Each KDC needs a host
Look at this section:
http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.4/doc/install.html#SEC12
And this:
http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.4/doc/install.html#SEC59
I looked at those; neither of those sections say, Create host principals
for your KDCs based on the alias instead
I get logged in with entering password/passhprase, so GSSAPI works.
But I have no ticket, not even if requesting a forwardable and/or
proxiable ticket on my client at home.
Since I don't have a ticket, I can't get a token either... So this
GSSAPI isn't working, or I'm making a big mistake
checking whether to use Kerberos... yes
checking for gethostbyname in -lresolv... (cached) yes
checking for com_err in -lcom_err... (cached) yes
checking for krb5_decrypt in -lk5crypto... (cached) no
checking for krb5_auth_con_init in -lkrb5... (cached) no
No Kerberos5 installed - support
Why not change the default ccach version then? I remember hearing that
there was a problem with that, but I can't remember what that was...
It breaks under OS X (you get Invalid credential cache version when you
try to kinit). I'm not sure why; I just noticed it and I haven't had
time to
Oki, so I use the stash file from papadoc (the current KDC) just temporarily,
it's not needed afterwards?
Is there a reason you really want to have a different master key on your
slave KDCs? Because I sure can't think of any good reason for doing it.
--Ken
I am implementing one-time-passwords into Kerberos 1.2.5.
More specifically I'm using hardware authenticaiton
for the principal in question which must provide a
one-time-password to the presented challenge.
The get_sam_edata is done and provides the challenge.
Peter,
If you're willing to wait,
Wow. I knew we had some bogus stuff in some of our I/O code, but
didn't realize it was so serious.
There's a bunch of stuff in there. I noticed during a system call trace
once that keytabs are apparantly read in a byte at a time. I haven't
tracked that one down yet, though (it might be fixed
(Anyone familiar with T/TCP? Are many systems implementing it? Is it
worth trying to support in this client-side code?)
AFAIK, the only operating system to implement it is FreeBSD, so I would
say no.
--Ken
Kerberos mailing list [EMAIL
You do BOTH ktadd's on the master, then copy (SAFELY) that keytab to the
slave.
That's bad advice, IMHO.
One common problem people run into when setting up their second KDC is
that at that point, they don't really understand what the host secret
is _for_, and they're not aware of the subtle
I encountered same problem in Window NT 4.0 using Eudora 5.1.
The problem is Eudora only works with Kerberos 4 even the
Qpoper 4.0 recommends Kerberos 5. So make sure your
KDC is kerberos 4. Good news is the next release will work
with kerberkos 5.
Uh, I've been using Eudora with Kerberos 5
umm, I've been using Kerberos 4 with Eudora under Mac OS X since it
was available in early beta. Why would you think it doesn't work?
I was told that they got rid of the Kerberos support completely (and
my testing had shown that), but I was just told by someone else that
Qualcomm added new
So this is really a good news to me. May you let me know
what specific configuration I need to modify to make it work.
You need a V5-capable KCLNT32.DLL (that's the Kerberos piece that
Qualcomm doesn't provide). That's sorta specific to your Kerberos
implementation, though ... I could give you
I got my kclient programs from MIT, it is the newest version
Kerberos for windows 2.1.1.
May you let me know what version you use?
Uh, we use a really really old version, for a bunch of reasons. But it
looks like the kclnt32.dll included with that version of MIT Kerberos only
does Kerberos 4;
The OpenAFS and Arla community is working on support for somewhat more
native krb5 authentication to AFS. Servers will support the
encrypted part of a krb5 ticket sent with a special kvno as an AFS
token. It turns out that if you have a special krb524d this
improvement allows you to upgrade
Similarly, with the MIT tarball, I grab it from the UK debian mirror as a
.deb and extract it. The export was not done by me I haven't broken any
laws by downloading it.
If you believe THAT, then I've got a couple dozen bridges I'd like to
sell you.
--Ken
Similarly, with the MIT tarball, I grab it from the UK debian mirror as a
.deb and extract it. The export was not done by me I haven't broken any
laws by downloading it.
If you believe THAT, then I've got a couple dozen bridges I'd like to
sell you.
Er, which law are you suggesting that
I assumed it was a given in this case that the original export was done
legally. True, the UK Debian mirror is no different from a US mirror in
this regard, but I took your message as suggesting there was a known
export violation here.
My apologies if I implied Debian was doing the wrong
Secondly, I understand SASL can offer up one mechanism (GSSAPI) on a
session and an additional session/mechanism such as EXTERNAL.
Why not provide for future flexibility? If I can offer up PKI via EXTERNAL
in addition to GSSAPI does it defeat the purpose of PKINIT? I believe their
is a lot to
i have strange problems in integrating openafs into krb5.
I use openafs 1.2.7 and kerberos 1.2.6 for the slave-server and 1.2.4 for
the kerberos master/admin server.
I checked everything with these key-versions (thanks to Derek on the openafs
mailing lis), but it did not help.
I always get ticket
There is also a bug in krb524d that does not set the kvno on the
returned V4 ticket. Here's a patch:
Interesting ... so what triggers this? I mean, it seems to work in
normal circumstances ...
--Ken
Kerberos mailing list [EMAIL
I seem to be having the same problem. I'm running krb5-1.2.5. I changed my
kdc.conf so that max_life = 25h 0m 0s. I then restarted kadmind and created
a test principal. Sure enough, its max life was 25 hours. But when I did a
'kinit -l 20h' for the principal, I got a TGT which would expire in
Oops, no I hadn't! So, I just restarted krb5kdc and that seems to do it.
Of course, I still can't get a TGT with a lifetime greater than 21:15:00,
which is the max life set for my krbtgt principal. But at least I know
that 'kinit -l' isn't broken.
So, I guess the key is you need to set:
-
- max_life in kdc.conf
- Restart kdc
- desired lifetime on both client and krbtgt principal
- I've seen this question a least 3-4 times on the list.
Is it in the FAQ?
No, but it should be. Another one for the list ...
--Ken
Kerberos mailing
- Unless you are using the server principals to get tickets, I
don't see any reason to reset those values. Yes, you will get
service tickets with a shorter lifetime, but so what? As long
as you have a krbtgt you can get all the service tickets you
need[1].
Have you ever actually done this?
and you
CANNOT get a new ticket for that service without acquiring a new TGT.
- Um, that seems very broken. Is the problem just that the mk_req
routines are not checking the expiration time of the existing
service ticket?
There are two problems:
- The MIT client side library wont get you a
I'm not sure that your interpretation of this code snippet is correct:
Always a possibility, I will freely admit :-)
until = (request-till == 0) ? kdc_infinity : request-till;
enc_tkt_reply.times.endtime =
min(until, min(enc_tkt_reply.times.starttime + server.max_life,
- The MIT client side library wont get you a new service ticket if you
have one already cached, even if it's expired.
Is this just a matter of someone leaving out a KRB5_TC_MATCH_TIMES flag
somewhere?
TC_MATCH_TIMES is already set in my reading of the code, and it's been
in there for a
Alot of our users have been getting the following popup error messages
when using their Eudora clients:
Kclnt32 Server rejected: Server rejected authentication (during sendauth
exchange) Permission denied in replay cache code
Our mail server has been undergoing a number of changes (upgrade of
Actually, on rereading the stuff I pasted below, I realized that
my local password _hadnt_ worked. So I tried things again, and here is
what I now get :
ken@sid:~$ [EMAIL PROTECTED] telnet -axF -k ebiz.austin.ibm.com ebiz.
Well, _first off_, is your Unix userid _really_ [EMAIL PROTECTED]?
login/v4: Cannot contact any KDC for requested realm converting to V4 credentials
Linux ebiz.austin.ibm.com 2.2.20 #2 Fri Dec 7 18:28:51 CST 2001 i586 unknown
Whats the deal with the login/v4 message? Does that mean Cannot
contact any KDC (surely not) or Cannot contact any KDC for
As for whether or not it can be ignored ... well, it works, doesn't it? :-)
Unless you need V4, you can ignore it.
can't you turn off login's attempt at 5-to-4 in krb5.conf?
You can, I just don't recall what the option is.
--Ken
Kerberos
You will note AFS is still around. One reason I think it is
is that one can separate the authentication from the authorization.
That is certainly part of it, but DCE costing approximately 10 times
AFS (for less platforms!) wasn't exactly a great selling point either.
And now AFS is free (and of
I am working on compiling Cyrus SASL for GSSAPI on Solaris 2.6.
I receive the following error when running make -
gssapi.c: In function `sasl_gss_free_context_contents':
gssapi.c:501: `GSS_C_NO_NAME' undeclared (first use this function)
gssapi.c:501: (Each undeclared identifier is reported only
(before you ask why the heck would you want to do THAT? ... our pop
server uses PAM for authenticating non-kpop users against their kerberos
password, and in doing so it leaves behind a TON of key caches ... I'm
wondering if this might be one way to get rid of them)
(and, before you suggest
I've encountered a problem in running kerberos sample server (sserver) after
installing KDC.
The client shows the message
Key version number for principal in key table is incorrect.
Is there anyone who can tell me how to fix the problem?
Um.. I've create /etc/krb5.keytab for the
Kerberos5 (a.k.a. GSSAPI) ftp supports data encryption also, if you
want. But you need a Kerberos ftp, which I guess for Windows means
Kermit or WRQ Reflection, maybe others.
For Windows, FileZilla seems to work well for me (available at SourceForge).
--Ken
I know, but I just don't know how my userbase will react to the need to
have Kerberized clients around. Again, if I could get a set of clients
put up on my ftp site that
- use tickets
- will prompt users for a password when there's no ticket/an
expired ticket, and obtain
Heh. You see why I choose to make xlock use the Kerberos call directly?
Yep -- were these patches submitted to the XFree86 xlock or xlockmore?
Where could I find them?
xlockmore; if you go to the xlockmore site and download the latest snapshot,
they should be in there.
--Ken
Its been awhile but last I checked xlockmore did not handle the case where
the users passwd has expired while the screen was locked. Though I think it
could readily, as the krb5 code it seems to me returns a error code about
an expired passwd after its checked to see if the passwd matched.. that
xlockmore; if you go to the xlockmore site and download the latest snapshot,
they should be in there.
You may be interested to know that a hamfisted attempt to put your prompter
code into the Kerberized XDM worked a little:
Hm, yeah, I expected something like that. The problem is that
So I think what I want is a slightly modified
version of kerberos that will compile under
cygwin but look for the tickets in the
standard win2k place. Or else maybe it will
call the internal win2k code to request
tickets for services.
Check out ms2mit.exe in the MIT Kerberos distribution (if you
connection, I can run the 'kinit.exe' that is a part of the KfW
distribution to get a TGT into my MIT cache, but I can't seem to
find a way to get credentials into the MS cache, so certain apps
(putty, e.g.) that are expecting my creds to be in the MS cache
will not work.
Silly question ...
(Yes, this was a couple of weeks ago).
Russ Allbery [EMAIL PROTECTED] writes:
We're seeing a regular trickle of these log messages from our KDCs. Is
this anything to worry about, or should we just ignore them?
krb5kdc[3531]: ASN.1 failed call to system time library - while dispatching
How
an easier solution would be to setup a windows realm for Win2k KDC and a cross re
alm trust with a linux box in a different realm.
We were doing this (with Solaris, not Linux), but when the bug and fix
for the cross-realm security hole came out a few months ago, that caused
it all to break (we
We're not running OpenAFS. Still Transarc AFS.
Heh, sucks to be you :-)
I hadn't heard that there's a pure krb5 solution for AFS, though ...
even with OpenAFS.
Well, I wouldn't call it pure. It's restricted to single-DES, and it's
only sorta V5, but it's enough to fix the V4 cross-realm
GSSAPI accepted as authentication type
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: No principal in keytab matches desired name
If you turn on ftpd debugging (-d), ftpd will log a whole bunch of crap
to syslog. One of the things it logs is the name it's trying to use
locally.
I am trying to figure out what the 'T' flag is when I run klist -fae
(Flags: FfPAT). So far, I have not found anything online or in the man
pages.
I believe that's the Transit Policy Checked flag, which probably
wouldn't matter much to you unless you're doing cross-realm
authentication.
--Ken
Kerberos uses GeneralizedTime to communicate between the peers.
My question is: Why?
In my view (again my view) using integer to communicate the seconds
elapsed since 01/01/1970 is much easier to handle. Not to mention UNIX
do provides natural support for that (I mean: SUSV#), i.e., just
Because it's very likely most of us will still be around by the time
the year 2038 rolls around. :-)
ASN allows you to use up to 127 octet for representing integer, so
using integer would not be a problem.
In theory, yes.
But if you look at the Kerberos clarification document (currently an
I notice you never really addressed the whole leap second thing. Does
epoch time include leap seconds? It's never been clear to me. But
nevertheless
I guess no! At least according to how POSIX say to make conversion
between calendar time to seconds since epoch: (year here is the *real*
We run b6, and are now about to upgrade to 1.3.1.
We also want to change encryption key (and type). (We do not have the
key phrase, just the stash file).
The FAQ isn't quite up to date.
The summary is: You can change the key, but not the enctype.
--Ken
Interesting. I managed to do this once for a test realm I think.
Did it have a password history on any of it's principals? Actually, I
would think that it wouldn't matter, but who knows.
--Ken
Kerberos mailing list [EMAIL PROTECTED]
Kerberos does not ensure message integrity (assuming you are referring to
data in addition to the authentication ticket). However, the GSS API which
is a part of MIT's KerberosV can be used to checksum (GSS_GetMIC()) or
encrypt for privacy (GSS_Wrap()).
But you _can_ do that inside of Kerberos.
So is this a known bug? I've read some stuff that if a program
clobbers malloc'ed memory it can sometimes exhibit a hang in
_malloc_consolidate.
That can certainly happen (on the systems I use, it generally just
crashes, but hanging doesn't surprise me as a possible option).
Any hints on
It is also worth noting, that, while Heimdal is not thread safe (at least there
are no guarantees), it has proven to be much more thread-robust than MIT.
OpenLDAP page and a couple of users have expirienced problems with MIT and
threaded OpenLDAP server, while Heimdal performed flawlessly.
It
I think that's false. I believe that krb5_rd_req will end up setting
up a rcache later.
I think Cesar is right, actually. krb5_rd_req will only set up a replay
cache if you pass in the server argument, which is set from creds-princ,
which is NULL if you call the gss function with
According to strace ...
1.2.8 app server with named credential - opens an rcache.
1.3.1 app server with no credential - no evidence of rcache being
opened.
Hm, regarding my previous note
It looks like I was wrong, krb5_rd_req() will get a replay cache even if
the passed-in server is NULL,
What makes you think that WebAuth hasn't gone beyond the experimental
stage?
I guess I chose the wrong words there. Basically, I just meant moving
it beyond Stanford and into the mainstream. I did not mean to
marginalize your efforts.
Actually ... judging by the people who want some form
Changing is every 5 minutes still means you can't really login or do
anything until after 5 minutes have passed. And what do you do when your
password database is several megs and takes 2 or 3 minutes to transfer?
I think you're making a mountain of a molehill here. It actually works
pretty
Unfortunately, PREAUTH_FAILED corresponds to the password being deemed
incorrect, since we have requires_preauth on all user principals.
Ever hear of the phrase, a little knowledge is dangerous? :-)
KRB5_PREAUTH_FAILED is an internal client-side library error.
KRB5KDC_ERR_PREAUTH_FAILED is
Here's one thing I don't have working yet, but haven't really sat down
to puzzle over: We have two KDCs. The master is behind our firewall on
a private network, but we have a slave on a public network. The only
way for users outside the private network (which is most of them) to
change their
So, logical consequence is that master must answer all TGT requests.
There are two things missing here.
The user's password is only required for AS requests. You don't need the
user's password for TGS requests, which are the vast majority of Kerberos
requests.
At least one major Kerberos
Since kadmin doesn't support cross realm authentication, I cannot
extract a keytab locally: Ideally, you should extract each keytab
locally ... If this is not feasible, you should use an encrypted
session to send them across the network. How does one use an encrypted
session to send a keytab
does seam support kerberos API calls? I need to implement a kerberos
client app that needs to get initial credentials and So far based on
my investigation, SEAM doesn't seem to have kerberos api calls. I
found krb_get_cred but I believe these are kerberos 4 API calls and
besides I dont' have a
Expert: You can't put your SSO in production, because Kerberos cross realm
authentication doesn't work!
Me: Is it an issues in Microsoft Kerberos?
Expert: No. The Kerberos protocol has been so poorly designed, that
cross-realm authentication just doesn't work at all. Maybe Microsoft has
So what options are there in that space?
AFAIK none --- with the standard open source servers. There are
patches available for MIT to support CRYPTOcard and SecureID. There
are patches available for Heimdal to support X509 certificates
(PKINIT).
Just as a note: if you want to go down the
In fact, most email clients support Kerberos 5 via GSSAPI
(very frequently using SASL), including Mulberry, Apple Mail.app,
Microsoft Outlook, pine, and mutt.
Mail clients which I know do NOT support Kerberos 5 include:
Mozilla Mail, Eudora (I think it only support Kerberos 4),
and I'm sure there
That's all the ever appears in the log. I have the kadmin log
segregated and nothing ever shows up in that log during this
opperation. I thought the kadmind daemon was responsible for this but
it never gets involved from what I can tell.
Here's the problem: the admin server will _not_
3. From an strace, I've managed to find out that the Kerberos library
opens the replay cache, reads it, and then tries to open a file with the
empty string as file name (which explains the ENOENT). It then closes
the replay cache.
I've linked against the MIT Krb5 libraries, version 1.2.7.
Can
Why not just use Kerberos authentication at the ssh layer though.
People like ssh-keys and they are considered rather secure, passwords are
not (they are more vulnerable to brute-force-attacks).
I know plenty of people who have gotten 0wned because of widespread
use of ssh-keys (more than I
Isn't that broken? You can't load balance the admin server because
MIT isn't multi-master. For DR it's just as easy to bring up a new
server with the old server's IP.
No, it's not broken. The kadmin server that's active responds to the
request. If my admin server goes down I can promote one
If we could modify DNS to do DNS round-robin, we too would be okay. But
we can't.
This is the part I don't understand. _WHY_ do you think you need
this? I've literally run 6 years with a very simple setup: two KDCs,
each one listed in DNS and our krb5.conf. On the rare occasions we
lose a
How do you list both in DNS? Are you implying that in DNS you only have
(for instance) kerb1.mit.edu and kerb2.mit.edu and list both machines as
KDCs in the krb5.conf. If so, the app then randomly picks a KDC and
tries that and if that fails, it rolls over to the next? You then build
that
I guess the problem that everyone is having with our deployment is the
term load-balancer. We don't actually want to easy the load off of our
KDC's, we just want provide a seamless way of ensuring availability in
the event that we lose one (or more) of them. I think it's true for
everyone who's
I've been unable to get the minimum password life feature to work. I
set the default policy to make the minimum password life equal to 300,
yet I can change passwords over and over again immediately. What am I
doing wrong?
You're not doing anything wrong. The minimum password lifetime
feature
kdb5_util: Required parameters in kdc.conf missing while initializing
the Kerberos admin interface
Unfortunately, many times with these errors, it's UTSL.
There is only one place where this error is returned. It's in
lib/kadm5/srv/server_init.c. Reading this, here is the list of
required
Would you be interested in helping design a way to do this?
Heimdal allows an error string to be stored inside a context
and retrieved later. That gives you enough flexibility to
store the file name etc. The complexity is that we would need
to go through the code and
If I have a call chain of a-b-c. If (c) registers an error - sets the
extended error code and returns to (b) - should (b) then be able to
register it's own complaint and extended error - or would that mask
(c)'s message. We sort of need a stack... Upon entry to a high level
kerberos function -
1 - 100 of 307 matches
Mail list logo
