[krbdev.mit.edu #6619] "wrong principal in request" should name the principals
Ken Raeburn via RT
rt-comment at krbdev.mit.edu
Thu Dec 31 02:28:37 EST 2009
From the kerberos at mit list:
> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) attempting
> authentication as jblaine at FOO
> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) credential
> verification failed: Wrong principal in request
> sshd[12256]: Postponed gssapi-with-mic for jblaine from 192.168.1.240
> port 32812 ssh2
> sshd[12255]: debug1: Unspecified GSS failure. Minor code may provide
> more information\nWrong principal in request\n
It would be more informative if these messages said something like
"Wrong principal in request (wanted 'foo at REALM', found 'bar at REALM')".
The code sites generating the WRONG_PRINC error should call
krb5_set_error_message and supply the additional detail needed for a
sysadmin to debug the (presumed) configuration problem.
Ken
More information about the krb5-bugs
mailing list