On October 5, 2017 12:06:51 PM EDT, Greg Hudson <ghud...@mit.edu> wrote:
>On 10/05/2017 07:52 AM, Harald Barth wrote:
>> And because the return code ret is the same as the error_code in the
>> context, krb5_get_error_message() just copies the string from the
>> context. However, if krb5_get_error_message() does its own lookup of
>> -1765328383 it gets "Client's entry in database has expired" which is
>> more like it. But where does "No ENC-TS found" come from and why is
>it
>> "better" than the own lookup?
>
>I didn't find anything like "No ENC-TS found" in the Heimdal source
>code, so my best guess is that this is coming from
>rd_error.c:krb5_error_from_rd_error() which does:
>
> ret = error->error_code;
> if (error->e_text != NULL) {
> krb5_set_error_message(context, ret, "%s", *error->e_text);
> } ...
>
>If my theory is correct, the KDC is sending unhelpful e_text and/or
>Heimdal is too trusting in using the e_text in preference to the string
>corresponding to the error code.
Both, I think. kinit (and other clients) ought to report something like
"error_message (e_text)", unless the e_text is empty or the same as the message
for the error code. of course, more complex variations are possible, what with
both locally- and KDC-generated error codes and additional messages. but just
blindly using the e_text and nothing else is clearly wrong.
That said, the KDC should not be sending this particular e_text in this
situation. I'll bet there's a loop that looks for suitable PA data, and that
message gets produced if it finishes without finding any, even though the
problem is something else entirely.
-- Jeff
In this case, concatenating the error
>code string with the e_text would produce a better result but not an
>ideal one, as "No ENC-TS found" shouldn't appear in the error message
>at
>all.
