[31854] in Kerberos
Re: Wrong principal in request
daemon@ATHENA.MIT.EDU (Jeff Blaine)
Mon Jan 4 16:47:00 2010
Message-ID: <4B4261C8.9060002@kickflop.net>
Date: Mon, 04 Jan 2010 16:46:48 -0500
From: Jeff Blaine <jblaine@kickflop.net>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <4B424FC3.30504@kickflop.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 1/4/2010 3:29 PM, Jeff Blaine wrote:
>>> Server: CentOS 5.3, MIT Kerberos 1.6.x, Russ Alberry's pam_krb5
>>
>>> Failure: Aside from GSSAPI not being used...
>>
>>> sshd[12234]: pam_krb5RA(sshd:auth): pam_sm_authenticate: entry (0x1)
>>> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) attempting
>>> authentication as jblaine at FOO
>>> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) credential
>>> verification failed: Wrong principal in request
>>
>> Usually this means the principal in the system keytab for your system
>> doesn't agree with the hostname or DNS name of the system.
>>
>
> Thanks Russ.
>
> * Is there any way to see what principal is expected to be in
> the keytab? I've already added host/mega and host/192.168.1.6
> to the keytab...
I happened to notice this (note the missing realm) after a
failed GSSAPI attempt to the SSH server (mega):
[root@mega ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jblaine@FOO
Valid starting Expires Service principal
01/04/10 16:14:51 01/11/10 16:14:51 krbtgt/FOO@FOO
renew until 01/18/10 16:14:51
01/04/10 16:15:08 01/11/10 16:14:51 host/mega@
renew until 01/18/10 16:14:51
I updated /etc/krb5.conf to include
[domain_realm]
mega = FOO
And all is well when connecting from mega to mega with OpenSSH
and GSSAPI options.
All is well, too, when connecting from sol10 SPARC stock SSH
to mega using GSSAPI options.
PuTTY-GSSAPI as the client still gives me the same error :(
> * This is all in a private non-routed testbed network with no
> DNS resolution configured. Am I fighting an unwinnable battle
> with a testbed like this? I don't want to depend on DNS at
> all, and /etc/nsswitch.conf's are configured as such.
>
> Jeff
> [ finally subscribed in non-digest mode so he can reply properly ]
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
