Wallet/remctld: Wrong principal in request

Andreas Ntaflos daff at pseudoterminal.org
Fri Oct 26 19:22:03 EDT 2012


Hi,

I am trying to set up Wallet for streamlining keytab distribution,
following Jan-Piet's interesting and insightful blog post [1] but I am
somehow stumbling early on. Using Ubuntu 12.04 and MIT Kerberos 1.10
(1.10+dfsg~beta1-2ubuntu0.3, FWIW). Wallet I built from the latest
git://git.eyrie.org/kerberos/wallet.git.

I got as far as initializing the Wallet database and ACLs with an admin
principal:

# wallet-admin initialize daff/admin at EXAMPLE.COM

I configured krb5.conf with defaults for wallet, i.e.

wallet_port = = 4373
wallet_server = auth01.example.com

But doing simple wallet test runs, like these

daff at auth01 $ wallet -u daff get keytab test
daff at auth01 $ wallet -u daff/admin get keytab test
daff at other01 $ wallet -u daff get keytab test
daff at other01 $ wallet -u daff/admin get keytab test

all make remctld complain about a wrong principal in request, like this:

remctld[29898]: connect from 10.1.7.41 (10.1.7.41)
remctld[29898]: GSS-API error while accepting context: Unspecified GSS
failure.  Minor code may provide more information, Wrong principal in
request
...
remctld[29047]: connect from 10.1.7.11 (10.1.7.11)
remctld[29047]: GSS-API error while accepting context: Unspecified GSS
failure.  Minor code may provide more information, Wrong principal in
request

As you can see, this happens both on the auth01 server itself and when
running the wallet client on a remote server.

My wallet configuration is identical to the example on [1], modulo
realms and hostnames of course. I also created a service/wallet
principal and gave it admin permissions in kadm5.acl, and I distributed
the according keytab to the remote server as well, but it seems things
fail much earlier so this all probably doesn't matter.

I can't seem to get more debug info out of remctld than that, so I am at
a loss. What principal does remctld expect to find here? What am I doing
wrong?

Thanks in advance,

Andreas

[1]
http://jpmens.net/2012/06/25/streamlining-distribution-of-kerberos-keytabs-and-other-secure-data/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20121027/46e59d26/attachment.bin


More information about the Kerberos mailing list