Wrong principal in request

Jeff Blaine jblaine at kickflop.net
Mon Jan 4 16:46:48 EST 2010 

On 1/4/2010 3:29 PM, Jeff Blaine wrote:
>>> Server: CentOS 5.3, MIT Kerberos 1.6.x, Russ Alberry's pam_krb5
>>
>>> Failure: Aside from GSSAPI not being used...
>>
>>> sshd[12234]: pam_krb5RA(sshd:auth): pam_sm_authenticate: entry (0x1)
>>> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) attempting
>>> authentication as jblaine at FOO
>>> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) credential
>>> verification failed: Wrong principal in request
>>
>> Usually this means the principal in the system keytab for your system
>> doesn't agree with the hostname or DNS name of the system.
>>
>
> Thanks Russ.
>
> * Is there any way to see what principal is expected to be in
>     the keytab?  I've already added host/mega and host/192.168.1.6
>     to the keytab...

I happened to notice this (note the missing realm) after a
failed GSSAPI attempt to the SSH server (mega):

[root at mega ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jblaine at FOO

Valid starting     Expires            Service principal
01/04/10 16:14:51  01/11/10 16:14:51  krbtgt/FOO at FOO
         renew until 01/18/10 16:14:51
01/04/10 16:15:08  01/11/10 16:14:51  host/mega@
         renew until 01/18/10 16:14:51

I updated /etc/krb5.conf to include

     [domain_realm]
         mega = FOO

And all is well when connecting from mega to mega with OpenSSH
and GSSAPI options.

All is well, too, when connecting from sol10 SPARC stock SSH
to mega using GSSAPI options.

PuTTY-GSSAPI as the client still gives me the same error :(

> * This is all in a private non-routed testbed network with no
>     DNS resolution configured.  Am I fighting an unwinnable battle
>     with a testbed like this?  I don't want to depend on DNS at
>     all, and /etc/nsswitch.conf's are configured as such.
>
> Jeff
> [ finally subscribed in non-digest mode so he can reply properly ]
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list