We're working on improving Moonshot's error handling and debugability. Today, all you typically get at the client is authentication rejected, and at the server is access reject. We've had some discussion on-list in the last week of the errors we'd like to distinguish. I'd like to discuss our mechanisms for doing that. On the server, we return an error using gss_display_status. A few years ago Kerberos introduced the convention that the message you get back from gss_display_status can be dynamic. You pass in a major and minor code, but the resulting message, especially for minor codes is not constant. It may depend on the circumstances of the most recent error. There are facilities in mech_eap for manipulating this. We already do a reasonably good job of mapping libradsec errors into moonshot errors and recovering the libradsec error message. So, on the server, we can return a fairly dynamic error message. I'm proposing that we first look to see if an access-reject has an error-cause attribute. That was defined in the COA spec, but based on some of the registered values, its usage seems to be more common. The main value from Error-Cause I want to retrieve are values related to proxy failures, particularly including the proxy routing failure code. If Error-cause is not present, or perhaps possibly even if it is, we look for reply-message. If there's EAP, that won't be present, but if things have failed so hard that the EAP was not processed, we can get a reply-message. Between the client and acceptor we have a more limited interface. The ABFAB error token contains a major status and a minor status as an unsigned 32-bit integer limited to the values 0-255 (see section 5.3 and 7.6 of RFC 7055) We will not be able to communicate out reply-message, but we will be able to parse out error cause codes and turn these into meaningful GSS-EAP errors. Then, we propose to write and send patches to FreeRADIUS to update the trust router code and ABFAB policy. We propose to populate reply message with trust router errors where appropriate and to generate error-cause from the more interesting trust router errors. In particular we'll generate a proxy routing error when we fail to find a trust path. We also want to generate an error-cause when the IDP rejects for authorization reasons. Thoughts on this approach? Alan, is error-cause the right thing to be using here? Typically the TR code returns noop or notfound rather than reject directly when a mapping isn't found. Should we define another internal attribute and populate error-cause when we turn that into a reject in unlang, or should we populate error-cause from the TR code directly? --Sam