[11273] in Kerberos-V5-bugs
[krbdev.mit.edu #6619] "wrong principal in request" should name the
daemon@ATHENA.MIT.EDU (Ken Raeburn via RT)
Thu Dec 31 02:28:59 2009
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Ken Raeburn via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6619@krbdev.mit.edu>
Message-ID: <rt-6619-31970.19.6638022974546@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6619'":;"'AdminCc of krbdev.mit.edu Ticket #6619'":;@MIT.EDU
Date: Thu, 31 Dec 2009 02:28:37 -0500 (EST)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
From the kerberos@mit list:
> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) attempting
> authentication as jblaine@FOO
> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) credential
> verification failed: Wrong principal in request
> sshd[12256]: Postponed gssapi-with-mic for jblaine from 192.168.1.240
> port 32812 ssh2
> sshd[12255]: debug1: Unspecified GSS failure. Minor code may provide
> more information\nWrong principal in request\n
It would be more informative if these messages said something like
"Wrong principal in request (wanted 'foo@REALM', found 'bar@REALM')".
The code sites generating the WRONG_PRINC error should call
krb5_set_error_message and supply the additional detail needed for a
sysadmin to debug the (presumed) configuration problem.
Ken
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
