More complete logging of capths violations
It is much easier (i.e. actually possible) to debug transit path policy violations when the logs specify the client and server realms, not just the transit realm.
This commit is contained in:
@@ -427,8 +427,8 @@ krb5_check_transited(krb5_context context,
|
||||
krb5_config_free_strings(tr_realms);
|
||||
krb5_set_error_message (context, KRB5KRB_AP_ERR_ILL_CR_TKT,
|
||||
N_("no transit allowed "
|
||||
"through realm %s", ""),
|
||||
realms[i]);
|
||||
"through realm %s from %s to %s", ""),
|
||||
realms[i], client_realm, server_realm);
|
||||
if(bad_realm)
|
||||
*bad_realm = i;
|
||||
return KRB5KRB_AP_ERR_ILL_CR_TKT;
|
||||
|
@@ -1705,7 +1705,7 @@ msgstr ""
|
||||
#: lib/krb5/transited.c:457
|
||||
#: lib/krb5/transited.c:490
|
||||
#, c-format
|
||||
msgid "no transit allowed through realm %s"
|
||||
msgid "no transit allowed through realm %s from %s to %s"
|
||||
msgstr ""
|
||||
|
||||
#: lib/krb5/v4_glue.c:153
|
||||
|
@@ -1675,7 +1675,7 @@ msgstr ""
|
||||
#: lib/krb5/transited.c:457
|
||||
#: lib/krb5/transited.c:490
|
||||
#, c-format
|
||||
msgid "no transit allowed through realm %s"
|
||||
msgid "no transit allowed through realm %s from %s to %s"
|
||||
msgstr ""
|
||||
|
||||
#: lib/krb5/v4_glue.c:151
|
||||
|
Reference in New Issue
Block a user