improve debugging of ticket verification in ksu

When ksu is built with debugging support and -D is used, print out the
principals being compared before doing the verification rather than
afterwards so that the principals will be printed when the verification
fails.

ticket: new
Component: krb5-appl
Version_Reported: 1.6.2

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20196 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c
index 6c3c94debc4a31c7266aff477763d58e843c6f25..f19c169249d5ba027118bf7c5cbb0859e729d83b 100644 (file)
--- a/src/clients/ksu/krb_auth_su.c
+++ b/src/clients/ksu/krb_auth_su.c
@@ -300,16 +300,16 @@ krb5_verify_tkt_def(context, client, server, cred_ses_key,
        return retval;
     }
     
-    if (server && !krb5_principal_compare(context, server, tkt->server)){
-       return KRB5KRB_AP_WRONG_PRINC;
-    }
-    
     if (auth_debug){ 
-       fprintf(stderr,"krb5_verify_tkt_def: verified target server\n");
+       fprintf(stderr,"krb5_verify_tkt_def: verifying target server\n");
        dump_principal(context, "server", server); 
        dump_principal(context, "tkt->server", tkt->server); 
     }  
     
+    if (server && !krb5_principal_compare(context, server, tkt->server)){
+       return KRB5KRB_AP_WRONG_PRINC;
+    }
+    
     /* get the default keytab */
     if ((retval = krb5_kt_default(context, &keytabid))){
        krb5_free_ticket(context, tkt);