error "Wrong principal in request"

2011-07-20 Thread Rusanov, Dmitry 
Hi,

Can someone help me to troubleshoot this error in apache log:


[Mon Jul 11 10:27:18 2011] [debug] src/mod_auth_kerb.c(994): [client 
192.168.20.17] Using HTTP/itgc-merc.msk.mts...@msk.mts.ru as server principal 
for password verification
[Mon Jul 11 10:27:18 2011] [debug] src/mod_auth_kerb.c(698): [client 
192.168.20.17] Trying to get TGT for user m...@msk.mts.ru
[Mon Jul 11 10:27:18 2011] [debug] src/mod_auth_kerb.c(609): [client 
192.168.20.17] Trying to verify authenticity of KDC using principal 
HTTP/itgc-merc.msk.mts...@msk.mts.ru
[Mon Jul 11 10:27:18 2011] [debug] src/mod_auth_kerb.c(652): [client 
192.168.20.17] krb5_rd_req() failed when verifying KDC
[Mon Jul 11 10:27:18 2011] [error] [client 192.168.20.17] failed to verify krb5 
credentials: Wrong principal in request
[Mon Jul 11 10:27:18 2011] [debug] src/mod_auth_kerb.c(698): [client 
192.168.20.17] Trying to get TGT for user m...@mts.ru
[Mon Jul 11 10:27:18 2011] [error] [client 192.168.20.17] 
krb5_get_init_creds_password() failed: Realm not local to KDC
[Mon Jul 11 10:27:18 2011] [debug] src/mod_auth_kerb.c(1073): [client 
192.168.20.17] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) 
authtype=(NULL)
[Mon Jul 11 10:27:18 2011] [debug] src/mod_auth_kerb.c(1628): [client 
192.168.20.17] kerb_authenticate_user entered with user (NULL) and auth_type 
Kerberos
[Mon Jul 11 10:27:18 2011] [debug] src/mod_auth_kerb.c(1566): [client 
192.168.20.17] matched previous auth request

It is SSO with apache+kerberos

Best regards,
Dmitry


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

GSSAPI Error: Wrong principal in request

2007-08-09 Thread jiang licht 
The following problem occurred when I tested to
configure GSSAPI and Cyrus SASL. Sorry if this problem
is irrelevant and thanks for your help in advance!

System: OpenSuse 10.2, MIT Kerberos 5 1.6.1 and Cyrus
SASL lib 2.1.22
Problem: Test w/ sample-server and sample-client
failed.
Principals:
host/[EMAIL PROTECTED],
[EMAIL PROTECTED]
Kettab: host/[EMAIL PROTECTED]
Sympton: see below. the following commands run from
"sample" folder on the same machine running as KDC

--->>> run "./sample-server -s host -p
../plugins/.libs" in a console window (Note: as root)

Generating client mechanism list...
Sending list of 7 mechanism(s)
S:
Q1JBTS1NRDUgUExBSU4gR1NTQVBJIERJR0VTVC1NRDUgTE9HSU4gT1RQIEFOT05ZTU9VUw==
Waiting for client mechanism...

--->>> run "kinit aclient" from another console logged
in as "aclient" (yes, "aclient" is also a local
account on the machine). "klist" shows the ticket
obtained. and "krb5kdc.log" shows this:

Aug 09 14:30:23 mymachinehostname krb5kdc[3911](info):
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.8:
ISSUE: authtime 1186687823, etype
s {rep=16 tkt=16 ses=16}, [EMAIL PROTECTED] for
krbtgt/[EMAIL PROTECTED]

So far so good

--->>> run "./sample-client -s host -u aclient -n
FQDN_mymachine -p ../plugins/.libs/"

service=host
Waiting for mechanism list from server...

--->>>copy and paste the line "S:..." to client window

LENGTH=52recieved 52 byte message
Choosing best mechanism from: CRAM-MD5 PLAIN GSSAPI
DIGEST-MD5 LOGIN OTP ANONYMOUS
returning OK: aclient
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C:
R1NTQVBJAGCCAiQGCSqGSIb3EgECAgEAboICEzCCAg+gAwIBBaEDAgEOogcDBQAgo4IBK2GCAScwggEjoAMCAQWhEBsOTkFQSVRFS0xURC5DT02iMDAuoAMCAQOhJzAlGwRo
b3N0Gx13czcwMDZvcGVuc3VzZS5uYXBpdGVrbHRkLmNvbaOB1zCB1KADAgEQoQMCAQiigccEgcR2IXsQJ3QT2BrsljGKI5B/8U4klBk0SmYpwC1QM+vlrZRMDDOlJ9XjK0OG2ON98Fy
fP5//H7uBCE95m9Q1Vil8uSjh48WpH/YYENfn2zi8Qp17oq+w9XMynT6yei6ccReUCoeqt1d2IHU+8r/XebDUMt0QTKxJXuBQvCV1TV+yhBbZTsEYYBrxk14FVA7BRYUSzzNA+FCnPJ
EwR45YPHMVg4rJbCsvFyWKLKMRlwS1PaS8SuGW3sSzUA+NJQPyXwTpAQwDpIHKMIHHoAMCARCigb8Egbzs9q9g9hXsXe2JnIcWJP5BsOHoJavtKTborEs1TdK4SVwMk+tmW4UFhmD+V
cl/nTdZX/HSgz11hKhkCJNGH1hV/rkiTew/dverAWcsOHmuYEP8ChL77/3Wi/6BIlDX13846UTKCks1cFlQPBIiSt28HMKz/NeWCgbOWwBqOhEHz5cboq75zpgQJSIGCsUhVG5Y9b+A
NeFy/ifMfTmybUIKhQ21LRZfo/y0M2nw4Rqjqd7wR+tAVLbER0MjHA==

check the "krb5kdc.log", it shows a ticket issued to
"aclient" for "host/[EMAIL PROTECTED]"

Aug 09 14:30:49 mymachinehostname krb5kdc[3911](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.8:
ISSUE: authtime 1186687823, etyp
es {rep=16 tkt=16 ses=16}, [EMAIL PROTECTED] for
host/[EMAIL PROTECTED]

not bad:)

--->>>copy and paste the line "C:..." to server window

got 'GSSAPI'
lt-sample-server: SASL Other: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more
information (Wrong principal in request)
lt-sample-server: Starting SASL negotiation:
authentication failure (authentication failure)

BUT there is NO log in "krb5kdc.log" for this error!

Note: There is no problem that DNS is set up right for
name look up and reverse lookup. And a FQDN is added
to /ect/hosts for the machine as well. There is no
problem that Kerberos works w/ pam_krb5 for login.

So, what could cause the problem. Any ideas?

Thanks!


  

Luggage? GPS? Comic books? 
Check out fitting gifts for grads at Yahoo! Search
http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos