recently came across many errors of the form

230308 17:28:44 5766 XrootdXeq: User authentication failed; Seckrb5: Unable to extract client name;; No translation available for requested principal ([log in to unmask]).

This message is misleading - the thing that fails translating to a local account name is not the server principal (which is logged here) but rather the one supplied by the client (which is not). Would it be possible to instead log the failing client principal in this case ?
https://github.com/xrootd/xrootd/blob/master/src/XrdSeckrb5/XrdSecProtocolkrb5.cc#L503 has the failing condition but https://github.com/xrootd/xrootd/blob/master/src/XrdSeckrb5/XrdSecProtocolkrb5.cc#L530 then always logs (server) Principal.

(underlying issue in our case was "accidentally" re-using a Kerberos credential cache, in the default location..)


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <xrootd/xrootd/issues/1948@github.com>

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1948", "url": "https://github.com/xrootd/xrootd/issues/1948", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1