On 1/4/2010 3:29 PM, Jeff Blaine wrote: >>> Server: CentOS 5.3, MIT Kerberos 1.6.x, Russ Alberry's pam_krb5 >> >>> Failure: Aside from GSSAPI not being used... >> >>> sshd[12234]: pam_krb5RA(sshd:auth): pam_sm_authenticate: entry (0x1) >>> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) attempting >>> authentication as jblaine at FOO >>> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) credential >>> verification failed: Wrong principal in request >> >> Usually this means the principal in the system keytab for your system >> doesn't agree with the hostname or DNS name of the system. >> > > Thanks Russ. > > * Is there any way to see what principal is expected to be in > the keytab? I've already added host/mega and host/192.168.1.6 > to the keytab...
I happened to notice this (note the missing realm) after a failed GSSAPI attempt to the SSH server (mega): [r...@mega ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: jbla...@foo Valid starting Expires Service principal 01/04/10 16:14:51 01/11/10 16:14:51 krbtgt/f...@foo renew until 01/18/10 16:14:51 01/04/10 16:15:08 01/11/10 16:14:51 host/mega@ renew until 01/18/10 16:14:51 I updated /etc/krb5.conf to include [domain_realm] mega = FOO And all is well when connecting from mega to mega with OpenSSH and GSSAPI options. All is well, too, when connecting from sol10 SPARC stock SSH to mega using GSSAPI options. PuTTY-GSSAPI as the client still gives me the same error :( > * This is all in a private non-routed testbed network with no > DNS resolution configured. Am I fighting an unwinnable battle > with a testbed like this? I don't want to depend on DNS at > all, and /etc/nsswitch.conf's are configured as such. > > Jeff > [ finally subscribed in non-digest mode so he can reply properly ] > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos