krb5_sname_to_principal question

Russ Allbery rra at
Tue Jul 29 20:03:23 EDT 2008

Jos Backus <jos at> writes:
> On Tue, Jul 29, 2008 at 12:26:17PM -0700, Russ Allbery wrote:

>> I believe this was to support server-side referrals.  The idea is that
>> the client will ask the server for a principal with an empty realm and
>> the server will figure out the realm.

> *nod* As it stands, without a matching domain_realm entry, the realm
> remains empty.

> This broke our setup between CentOS 4 (Kerberos 1.5) and CentOS 5
> (Kerberos 1.6.1) , where ssh'in into a box fails with `Wrong principal
> in request'.  Adding some debugging from 1.6.3 reveals that the offered
> principal is `host/fqdn at REALM' whereas the expected principal (returned
> from krb5_sname_to_principal()) is `host/fqdn@'.

Yes, you're having the same situation that we did, where the change to
support referrals broke other software.  My only experience with it has
been in the area of where it broke things.

We solved the problems we ran into by making sure that we had domain_realm
mappings on the client, since otherwise ksu stopped working.  I think ksu
has now been fixed in Subversion, though.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list