krb5_sname_to_principal question

Jos Backus jos at
Tue Jul 29 17:54:48 EDT 2008

On Tue, Jul 29, 2008 at 12:26:17PM -0700, Russ Allbery wrote:
> I believe this was to support server-side referrals.  The idea is that the
> client will ask the server for a principal with an empty realm and the
> server will figure out the realm.
*nod* As it stands, without a matching domain_realm entry, the realm remains

This broke our setup between CentOS 4 (Kerberos 1.5) and CentOS 5 (Kerberos
1.6.1) , where ssh'in into a box fails with `Wrong principal in request'.
Adding some debugging from 1.6.3 reveals that the offered principal is
`host/fqdn at REALM' whereas the expected principal (returned from
krb5_sname_to_principal()) is `host/fqdn@'.

> I don't know exactly how this works, though.

Neither do I.

Jos Backus
jos at

More information about the Kerberos mailing list