1.12 KDC log fix - rbasch/krb5 GitHub Wiki

When the KDC logs AS_REQ and TGS_REQ activity, it sometimes does not populate the server principal and substitutes <unknown server>. However, the server principal name is often available and was formerly logged properly in older distributions (1.10 and prior); AS_REQ logging issues only exist in 1.12 whereas TGS_REQ logging issues exist in both 1.11 and 1.12.

  1. For AS_REQ, instead of parsing the client name, then searching for the client principal, then parsing the service name, and then looking up the service name, the sequence has been altered to first parse the client principal, then parse the service principal, and then proceed to finding the client and service principals in the database.

  2. For TGS_REQ, instead of leaving the service name not populated for the logging until such time as the service name is found in the database, first set the service name to the entry in the TGS request. Upon successful lookup, the variable is set normally. Logging of the service principal in the TGS request can be useful for diagnostics and was standard behavior in older distributions.

MIT patches targeted for 1.12.1:
https://github.com/krb5/krb5/commit/f37067776f9431879769f3874fdab6120ba3f155 https://github.com/krb5/krb5/commit/30589b2a1636de9f9b68591f0e546cb0fa21989f

Consolidated patch to fix server principal logging (included in 1.12.1):
https://github.com/rbasch/krb5/commit/78811dce58b1932c4a007acc9871350e3b497a8a

In May 2014, Richard Basch reported a second issue related to incomplete TGS_REQ logging. When the ticket validation fails for any reason, including "Ticket expired", the KDC will report <unknown client> even if the KDC was able to successfully decrypt and decode the TGS request.

1.12.x patch for TGS_REQ client principal logging (submitted to MIT for review):
https://github.com/rbasch/krb5/commit/fe8223afe3acf8749a1aed62044359bbf5bc6a75

Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️