>I would be happy to have more trace logging to diagnose PKINIT errors, >but converting every pkiDebug() call probably wouldn't meet the criteria >for good trace logging. We've already made a few passes in this area, >most recently one from you which went into release 1.20 (commit >34625d594c339a077899fa01fc4b5c331a1647d0).
I guess what I was thinking was maybe not EVERY pkiDebug() call, but more all of the ones that report errors. E.g: > if ((r = id_cryptoctx->p11->C_SignInit(id_cryptoctx->session, &mech, > obj)) != CKR_OK) { > pkiDebug("C_SignInit: %s\n", pkcs11err(r)); > return KRB5KDC_ERR_PREAUTH_FAILED; > } There are others than the PKCS#11 calls, of course. I guess what I'd like (if possible) was that anytime the plugin returned PREAUTH_FAILED, the debug trace will explain why. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos