[Dovecot] [PATCH] Allow GSSAPI to work with multihomed hosts
Jason Gunthorpe
jgunthorpe at obsidianresearch.com
Wed Aug 13 23:43:33 EEST 2008
On Wed, Aug 13, 2008 at 03:07:55PM -0400, Timo Sirainen wrote:
>> + auth_request_log_info(request, "gssapi",
>> + "Using all keytab entires");
>
> I'm beginning to wonder about the logging in the code though. To me it
> looks like all of these should rather be log_debug instead of log_info. And
> I don't see any log_infos for logging why the user login actually failed
> (does gssapi even tell anything about it?). Or debug logging about what the
> usernames are when trying to log in. And the GSSAPI errors probably should
> be logged with log_info instead of log_error, because they probably aren't
> errors that the sysadmin can do anything about, but rather some client
> misconfiguration or a client bug (at least after the initial configuration
> is done and working).
Well, I am not an expert on gssapi, but there are definately failures due
to administrator misconfiguration and some are the users fault.
For instance any failure from obtain_service_credentials is a
configuration error. Failures due to service credential mismatch,
encryption type mismatch, etc are also configuration errors, but they
occure later in the process..
To be honest nobody seems to do a super job of logging kerberos
messages. The erro messages from the library are terse and contain no
information from the packet. Debugging a service principle name
mismatch is a royal pain.
The log in my patch probably should be log debug, I just copied the
log level from the existing 'Obtaining credentials' message. They are
not important unles someone is debugging.
Thanks,
Jason
More information about the dovecot
mailing list