error messages from kerberos are not logged

I am using rpc-gssd and gssproxy mechanism, and I found a mistake in my /etc/krb5.conf

    default_ccache_name = DIR:/home/%{username}/.k5_ccache

this used to work for regular users needing a ticket, but it fails when root tries to mount a NFS volume, as there is no /home/root directory. It sounds trivial but the investigation took a while:

with verbosity activated, rpc-gssd will log

ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - (0x9ae73ac3)

which is not helpful.

In this case Kerberos constructs a readable error message however gssproxy simply grabs the Kerberos error code and puts it into a "minor code", and is later unable to display it.

Is it possible to improve gssproxy so that errors coming from the Kerberos API are logged properly? Thanks

I could check that something like

diff --git a/src/mechglue/gpp_creds.c b/src/mechglue/gpp_creds.c
index 677834d..84db676 100644
--- a/src/mechglue/gpp_creds.c
+++ b/src/mechglue/gpp_creds.c
@@ -327,6 +327,11 @@ OM_uint32 gppint_retrieve_remote_creds(uint32_t *min, const char *ccache_name,

 done:
     if (ctx) {
+        if (ret) {
+            char* msg = krb5_get_error_message(ctx, ret);
+            gpm_save_internal_status(ret, msg);
+            krb5_free_error_message(ctx, msg);
+        }
         krb5_free_cred_contents(ctx, &cred);
         krb5_free_cred_contents(ctx, &icred);
         if (ccache) krb5_cc_close(ctx, ccache);

makes the error message lot more helpful:

rpc.gssd[54289]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Credential cache directory /home/root/.k5_ccache does not exist

gssapi / gssproxy

error messages from kerberos are not logged #75