> John Hascall wrote:
> > As a part of our seemingly endless path to
> > eliminating KRB4 I was thinking I'd like
> > to replace or modify krb524d to just log
> > the request and always return an error
> > (KRB524_KRB4_DISABLED seems ideal, but as
> > near as I can tell it only is used in the
> > client code). Has anyone gone down this
> > path before?


> I think that is reasonable. The clients already have to expect to
> receive that value if the library was built without 524 support.
> Jeffrey Altman


I tried it, and alas, it appears that (at least some old) clients die
ugly when they get a krb5_error_code that they do not know:

% kinit
Password for john@IASTATE.EDU:
kinit(v524): Segmentation fault

> 0 __memccpy(0x3ff800daac0, 0x14000b60a, 0x3ffc0080310, 0x3ffc0091338,

0xffffffffffffffff) [0x3ff800d91fc]
1 fputs(0x11ffff4d0, 0x140058bc8, 0x140058ba8, 0x140040a18, 0x100000000)
[0x3ff800da9f8]
2 default_com_err_proc(whoami = 0x140012140 = "kinit(v524)",
code = -1750206200, fmt = 0x140000970 = "converting to V4 credentials",
ap = struct {
_a0 = 0x11fffee00
_offset = 24
}) ["com_err.c":87, 0x1200720cc]
3 com_err_va(whoami = 0x140012140 = "kinit(v524)", code = -1750206200,
fmt = 0x140000970 = "converting to V4 credentials",
ap = struct {
_a0 = 0x11fffee00
_offset = 24
}) ["com_err.c":108, 0x120072264]
4 com_err(whoami = 0x140012140 = "kinit(v524)", code = -1750206200,
fmt = 0x140000970 = "converting to V4 credentials")
["com_err.c":133, 0x120072318]
5 try_convert524(k5 = 0x11ffff4d0) ["kinit.c":1026, 0x1200139b4]
6 main(argc = 1, argv = 0x11ffff668) ["kinit.c":1114, 0x120013dc8]
(dbx)

This kinit was compiled against krb5-1.2.6 which seems to know only
codes -1750206208 .. -1750206201 and not -1750206200[KRB524_KRB4_DISABLED]


John