Wrong principal in request
Russ Allbery
rra at stanford.edu
Mon Jan 4 20:42:25 EST 2010
Jeff Blaine <jblaine at kickflop.net> writes:
> I happened to notice this (note the missing realm) after a
> failed GSSAPI attempt to the SSH server (mega):
> [root at mega ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: jblaine at FOO
> Valid starting Expires Service principal
> 01/04/10 16:14:51 01/11/10 16:14:51 krbtgt/FOO at FOO
> renew until 01/18/10 16:14:51
> 01/04/10 16:15:08 01/11/10 16:14:51 host/mega@
> renew until 01/18/10 16:14:51
Ah, that means that the client doesn't know what the local realm is and is
therefore trying to ask the server via referrals, but the server isn't
answering that question.
> I updated /etc/krb5.conf to include
> [domain_realm]
> mega = FOO
> And all is well when connecting from mega to mega with OpenSSH
> and GSSAPI options.
> All is well, too, when connecting from sol10 SPARC stock SSH
> to mega using GSSAPI options.
> PuTTY-GSSAPI as the client still gives me the same error :(
Did you update the Windows equivalent (krb5.ini, I think)?
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list