Wrong principal in request

Jaap Winius jwinius at umrk.nl
Fri Feb 25 18:37:32 EST 2011 

Hi folks,

The subject above is part of an error that I was seeing in the syslog  
of my site's MIT Kerberos 1.8.3 master server (Debian squeeze):

slapd[26423]: SASL [conn=1256] Failure: GSSAPI Error: Unspecified GSS  
failure.  Minor code may provide more information (Wrong principal in  
request)
slapd[26423]: conn=1256 op=0 RESULT tag=97 err=49 text=SASL(-13):  
authentication failure: GSSAPI Failure: gss_accept_sec_context

This rather vague error was my own fault. I started with a working  
system -- one master and two slaves -- all of which use OpenLDAP  
2.4.23 for their back-ends and replication, but then decided to alter  
these servers somewhat to add more LDAP client functionality.

I'm no longer sure exactly what I changed, but it was a mistake. Soon  
afterwards the OpenLDAP consumer servers stopped replicating and the  
above SASL and GSSAPI errors appeared on the master/provider server  
every time the slave/consumer servers attempted to make contact  
(syncrepl).

To fix things I tried to recreate various key tables, after which I  
attempted to recreate the principals for them as well. When that  
didn't work, I tried testing the connections with krb5-rsh. The  
results indicated that the hosts that I was trying to contact were not  
in the Kerberos database at all (even though it would not say which  
hosts I was trying to contact). Yet, I was certain that the names of  
the principals I was using -- ldap/<FQDN>@REALM -- matched the FQDNs  
of the hosts.

A solution suggested itself when I noticed that krb5-rsh did work  
between hosts with a "host/<FQDN>@REALM" principal. So, I made extra  
ones of these principals for each of the three Kerberos/LDAP servers  
with their keys added to the local key table files. It seemed totally  
redundant, but it worked and things were back to normal. The question  
is, why?

Finally, I tested the system to make sure all of these changes were  
really necessary. I did this by first removing the new  
host/<FQDN>@REALM principals and matching keys for the slave/consumer  
servers, restarting all three servers to test connectivity, and then  
doing the same after removing the new host principal and keys for the  
master/provider. Mysteriously, it continued to work (and still does)  
as though nothing had ever been the matter.

Does anyone have an explanation for what was going on here?

Cheers,

Jaap

More information about the Kerberos mailing list