[Dovecot] [PATCH] Allow GSSAPI to work with multihomed hosts

Jason Gunthorpe jgunthorpe at obsidianresearch.com
Wed Aug 13 23:43:33 EEST 2008


On Wed, Aug 13, 2008 at 03:07:55PM -0400, Timo Sirainen wrote:

>> +               auth_request_log_info(request, "gssapi",
>> +                    "Using all keytab entires");
>
> I'm beginning to wonder about the logging in the code though. To me it 
> looks like all of these should rather be log_debug instead of log_info. And 
> I don't see any log_infos for logging why the user login actually failed 
> (does gssapi even tell anything about it?). Or debug logging about what the 
> usernames are when trying to log in. And the GSSAPI errors probably should 
> be logged with log_info instead of log_error, because they probably aren't 
> errors that the sysadmin can do anything about, but rather some client 
> misconfiguration or a client bug (at least after the initial configuration 
> is done and working).

Well, I am not an expert on gssapi, but there are definately failures due
to administrator misconfiguration and some are the users fault.

For instance any failure from obtain_service_credentials is a
configuration error. Failures due to service credential mismatch,
encryption type mismatch, etc are also configuration errors, but they
occure later in the process..

To be honest nobody seems to do a super job of logging kerberos
messages. The erro messages from the library are terse and contain no
information from the packet. Debugging a service principle name
mismatch is a royal pain.

The log in my patch probably should be log debug, I just copied the
log level from the existing 'Obtaining credentials' message. They are
not important unles someone is debugging.

Thanks,
Jason


More information about the dovecot mailing list