Wrong principal in request error on gss_accept_sec_context()

Xie, Hugh hugh.xie at bankofamerica.com
Wed Jan 14 15:55:44 EST 2015


To isolate this issue further, I set debugger to the following function that return KRB5KRB_AP_WRONG_PRINC

./lib/krb5/krb/srv_dec_tkt.c:krb5_server_decrypt_ticket_keytab()
./lib/krb5/krb/rd_req_dec.c:decrypt_ticket()
./lib/krb5/krb/pac.c:k5_pac_validate_client()
./lib/krb5/krb/s4u_creds.c:krb5_get_self_cred_from_kdc()

Gdb does seems stop at any one of the functions.
Please provide pointer. Thanks.


-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Xie, Hugh
Sent: Monday, January 12, 2015 4:44 PM
To: Greg Hudson; '<kerberos at mit.edu>'
Subject: RE: Wrong principal in request error on gss_accept_sec_context()

To clarify the confusion, I am merely mentioning the same server "myacct" works on one server but does not work in another server.

I added a new keytab entry HTTP/host2.site123.baml.com @ COMMON.BANKOFAMERICA.COM. The same error still exists, did not make much difference.

-----Original Message-----
From: Greg Hudson [mailto:ghudson at mit.edu]
Sent: Tuesday, January 06, 2015 1:52 PM
To: Xie, Hugh; '<kerberos at mit.edu>'
Subject: Re: Wrong principal in request error on gss_accept_sec_context()

On 01/05/2015 09:36 PM, Xie, Hugh wrote:
> 1. /efs/dist/kerberos/mit/1.11.5/exec/bin/klist -k -t $KRB5_KTNAME 
> Keytab name: FILE: /tmp/myacct.keytab
> KVNO Timestamp           Principal
> ---- ------------------- ------------------------------------------------------
>    2 12/17/2014 15:30:08 myacct at COMMON.BANKOFAMERICA.COM

[In the klist output:]
> #1>     Client: winlogin @ COMMON.BANKOFAMERICA.COM
>         Server: HTTP/host2.site123.baml.com @ COMMON.BANKOFAMERICA.COM

If the client is authenticating to HTTP/host2.site123.baml.com then the server needs that key in its keytab, though it doesn't have to be listed under that name.

>From the information given so far, I cannot tell whether the myacct key 
>ought to be the same as the HTTP/host2.site123.baml.com key through 
>some kind of principal aliasing.  I am particularly confused by these 
>two
statements:

On Fri Dec 19 13:33:11 EST 2014:
> We are using the same account on both hosts the Principal in the keytab is "myacct at COMMON.BANKOFAMERICA.COM"

On: Sat Dec 20 21:28:33 EST 2014
> No it is different computer accounts.

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.


More information about the Kerberos mailing list