GSSAPI / Kerberos ticket authentication issues

[Broekman, Maarten]

All,
	I'm trying to configure my RHEL5 servers to perform GSSAPI
authentication via gssftp and ssh.  I've enabled the gssftp service and
GSSAPIAuthentication (in ssh).  Everything works properly with Kerberos
tickets over the "hostname" IP address (as well as any CNAMEs for it).
However, when I try to connect to a secondary IP address on the same
system, GSSAPI authentication fails.  I have host principals in the
keytab for all hostnames on the system and /etc/hosts contains all the
appropriate host / IP entries.

	Example:
		$ kinit
		$ ftp -n -i hostname	--> Works properly
		...
		334 Using authentication type GSSAPI; ADAT must follow
		GSSAPI accepted as authentication type
		GSSAPI authentication succeeded
		Remote system type is UNIX.
		Using binary mode to transfer files.
		ftp> quote user username
		232 GSSAPI user username at DOMAIN.COM is authorized as
username

		$ ftp -n -i hostname-alt	--> Doesn't work.
		334 Using authentication type GSSAPI; ADAT must follow
		GSSAPI accepted as authentication type
		GSSAPI error major: Unspecified GSS failure.  Minor code
may provide more information
		GSSAPI error minor: Unknown code krb5 144
		GSSAPI error: accepting context
		GSSAPI ADAT failed
		GSSAPI authentication failed
		334 Using authentication type KERBEROS_V4; ADAT must
follow
		KERBEROS_V4 accepted as authentication type
		Kerberos V4 krb_mk_req failed: You have no tickets
cached
		Remote system type is UNIX.
		Using binary mode to transfer files.
		ftp> quote user username
		331 Password required for username.

	Code 144 is "wrong principal in request" but I can't for the
life of me figure out why.

	Running klist -k /etc/krb5.keytab on the target server shows:
		Keytab name: FILE:/etc/krb5.keytab
		KVNO Principal
		----
------------------------------------------------------------------------
--
		  10 host/hostname-alt.domain.com at DOMAIN.COM
		  10 host/hostname-alt.domain.com at DOMAIN.COM
		  10 host/hostname-alt.domain.com at DOMAIN.COM
		  10 host/hostname-alt.domain.com at DOMAIN.COM
		   6 host/hostname.domain.com at DOMAIN.COM
		   6 host/hostname.domain.com at DOMAIN.COM
		   6 host/hostname.domain.com at DOMAIN.COM
		   6 host/hostname.domain.com at DOMAIN.COM

	Checking both of these host principals in our kerberos database
shows that they are all valid.

	Running a klist on my ticket cache on the source system shows:
		$ klist
		Ticket cache: FILE:/tmp/krb5cc_62548_AdrweK
		Default principal: username at DOMAIN.COM

		Valid starting     Expires            Service principal
		11/16/09 08:50:05  11/17/09 08:50:05
krbtgt/DOMAIN.COM at DOMAIN.COM
		11/16/09 08:50:34  11/17/09 08:50:05
host/hostname.domain.com at DOMAIN.COM
		11/16/09 08:50:40  11/17/09 08:50:05
host/hostname-alt.domain.com at DOMAIN.COM


		Kerberos 4 ticket cache: /tmp/tkt62548
		klist: You have no tickets cached

	Any assistance with this would be greatly appreciated.

Thanks in advance,
--Maarten