Problem in gss-server

Greg Hudson ghudson at MIT.EDU
Thu Aug 30 11:39:54 EDT 2012

On 08/30/2012 10:51 AM, Sankar Das wrote:
> GSS-API error acquiring credentials: Unspecified GSS failure.  Minor code may provide more information
> GSS-API error acquiring credentials: No principal in keytab matches desired name
> I have tried giving different combination of "service_name" but nothing works. Can somebody tell me what I am missing?

You need the following three things to match:

* The canonicalization of the service hostname on the client
* The canonicalization of the service hostname on the server
* The principal in the keytab

Canonicalization of a hostname is done through forward name resolution
(getaddrinfo) and then reverse name resolution (getaddrinfo).  The
second part can sometimes be disabled by setting rdns = false in
[libdefaults] in krb5.conf--only sometimes, because getaddrinfo on Linux
may perform a reverse lookup to get the canonical name depending on how
it's invoked.

On the client side, the above canonicalization steps normally happen
through DNS.  On the server side, they usually go through /etc/hosts
instead.  Be sure to check any IPv6 entries you might have in /etc/hosts
as well as IPv4 entries, as they can sometimes be used.

More information about the krbdev mailing list