Wrong principal in request
Jeff Blaine
jblaine at kickflop.net
Mon Jan 4 22:43:03 EST 2010
On 1/4/2010 8:42 PM, Russ Allbery wrote:
> Jeff Blaine<jblaine at kickflop.net> writes:
>
>> I happened to notice this (note the missing realm) after a
>> failed GSSAPI attempt to the SSH server (mega):
>
>> [root at mega ~]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: jblaine at FOO
>
>> Valid starting Expires Service principal
>> 01/04/10 16:14:51 01/11/10 16:14:51 krbtgt/FOO at FOO
>> renew until 01/18/10 16:14:51
>> 01/04/10 16:15:08 01/11/10 16:14:51 host/mega@
>> renew until 01/18/10 16:14:51
>
> Ah, that means that the client doesn't know what the local realm is and is
> therefore trying to ask the server via referrals, but the server isn't
> answering that question.
>
>> I updated /etc/krb5.conf to include
>
>> [domain_realm]
>> mega = FOO
>
>> And all is well when connecting from mega to mega with OpenSSH
>> and GSSAPI options.
>
>> All is well, too, when connecting from sol10 SPARC stock SSH
>> to mega using GSSAPI options.
>
>> PuTTY-GSSAPI as the client still gives me the same error :(
>
> Did you update the Windows equivalent (krb5.ini, I think)?
I hadn't, but duplicated krb5.conf to C:\WINDOWS\krb5.ini to
replace the old one there (which worked fine for getting into
the Solaris 10 box via PuTTY + GSSAPI).
Same old same old.
OpenSSH sshd on mega reports:
...
mega sshd[3287]: debug1: userauth-request for user jblaine service
ssh-connection method gssapi-with-mic
mega sshd[3287]: debug1: attempt 1 failures 1
mega sshd[3286]: debug1: PAM: setting PAM_RHOST to "192.168.1.4"
mega sshd[3286]: debug1: PAM: setting PAM_TTY to "ssh"
mega sshd[3287]: Postponed gssapi-with-mic for jblaine from 192.168.1.4
port 50081 ssh2
mega sshd[3286]: debug1: Unspecified GSS failure. Minor code may
provide more information\nWrong principal in request\n
mega sshd[3286]: debug1: Got no client credentials
...
And the KDC reports:
...
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.4: ISSUE: authtime
1262662114, etypes {rep=18 tkt=18 ses=18}, jblaine at FOO for krbtgt/FOO at FOO
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.4: ISSUE: authtime
1262662114, etypes {rep=18 tkt=18 ses=18}, jblaine at FOO for
host/192.168.1.6 at FOO
TGS_REQ (1 etypes {18}) 192.168.1.4: ISSUE: authtime 1262662114, etypes
{rep=18 tkt=18 ses=18}, jblaine at FOO for krbtgt/FOO at FOO
After the failed GSSAPI attempt, KfW looks like the attached
image.
More information about the Kerberos
mailing list