kadmind, Wrong principal in request

ms419@freezone.co.uk ms419 at freezone.co.uk
Sun Apr 4 20:38:04 EDT 2004


Thanks ... Two realms are involved, though they're not on the same 
machine. LAT contains our users (admin at LAT), while RUZ.LAT contains 
principles for some experimental servers. LAT is hosted on tor; RUZ.LAT 
is hosted on wum. Cross realm authentication is otherwise working 
dandy.

Running (on wum):
---
admin at wum:~$ /usr/sbin/kadmin -p admin -r RUZ.LAT
Authenticating as principal admin with password.
Password for admin at LAT:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
---
Evokes on tor and wum:
---
Apr  4 17:17:17 tor krb5kdc[749]: AS_REQ (4 etypes {16 23 3 1}) 
192.168.179.73: NEEDED_PREAUTH: admin at LAT for kadmin/admin at LAT, 
Additional pre-authentication required
Apr  4 17:17:23 tor krb5kdc[749]: AS_REQ (4 etypes {16 23 3 1}) 
192.168.179.73: ISSUE: authtime 1081124243, etypes {rep=16 tkt=16 
ses=16}, admin at LAT for kadmin/admin at LAT
---
Apr  4 17:17:23 wum kadmind[18547]: Authentication attempt failed: 
192.168.179.73, GSS-API error strings are:
Apr  4 17:17:23 wum kadmind[18547]:     Miscellaneous failure
Apr  4 17:17:23 wum kadmind[18547]:     Wrong principal in request
Apr  4 17:17:23 wum kadmind[18547]:    GSS-API error strings complete.
---
So to me (I don't really know what I'm doing - just stating the 
obvious), it appears that admin at LAT is successfully authenticated by 
tor, but that instead of obtaining a cross realm ticket - 
krbtgt/RUZ.LAT at LAT - it's obtaining kadmin/admin at LAT. Why ... ?

Thanks thanks THANKS! for all the help!

Jack

On Apr 4, 2004, at 4:21 PM, Sam Hartman wrote:

> Your error means that the kadmin client used the wrong principal when
> talking to your server.  That's really strange unless you are trying
> to run mulptiple realms on the same machine or something.
>
> You can look at your KDC log and see what principal your client
> requests.
>
> --Sam



More information about the Kerberos mailing list