GSSAPI Error: Wrong principal in request

jiang licht licht_jiang at yahoo.com
Thu Aug 9 16:06:35 EDT 2007


It seems the problem that I have lies in GSSAPI. But
it occurred when I tested to configure GSSAPI and
Cyrus SASL. So, I still posted the problem here. Sorry
to bother others if this problem is irrelevant and
thanks for your help in advance!

System: OpenSuse 10.2, MIT Kerberos 5 1.6.1 and Cyrus
SASL lib 2.1.22
Problem: Test w/ sample-server and sample-client
failed.
Principals:
host/mymachinehostname.company.com at COMPANY.COM,
aclient at COMPANY.COM
Kettab: host/mymachinehostname.company.com at COMPANY.COM
Sympton: see below. the following commands run from
"sample" folder on the same machine running as KDC

--->>> run "./sample-server -s host -p
../plugins/.libs" in a console window (Note: as root)

Generating client mechanism list...
Sending list of 7 mechanism(s)
S:
Q1JBTS1NRDUgUExBSU4gR1NTQVBJIERJR0VTVC1NRDUgTE9HSU4gT1RQIEFOT05ZTU9VUw==
Waiting for client mechanism...

--->>> run "kinit aclient" from another console logged
in as "aclient" (yes, "aclient" is also a local
account on the machine). "klist" shows the ticket
obtained. and "krb5kdc.log" shows this:

Aug 09 14:30:23 mymachinehostname krb5kdc[3911](info):
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.8:
ISSUE: authtime 1186687823, etype
s {rep=16 tkt=16 ses=16}, aclient at COMPANY.COM for
krbtgt/COMPANY.COM at COMPANY.COM

So far so good

--->>> run "./sample-client -s host -u aclient -n
FQDN_mymachine -p ../plugins/.libs/"

service=host
Waiting for mechanism list from server...

--->>>copy and paste the line "S:..." to client window

LENGTH=52recieved 52 byte message
Choosing best mechanism from: CRAM-MD5 PLAIN GSSAPI
DIGEST-MD5 LOGIN OTP ANONYMOUS
returning OK: aclient
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C:
R1NTQVBJAGCCAiQGCSqGSIb3EgECAgEAboICEzCCAg+gAwIBBaEDAgEOogcDBQAgAAAAo4IBK2GCAScwggEjoAMCAQWhEBsOTkFQSVRFS0xURC5DT02iMDAuoAMCAQOhJzAlGwRo
b3N0Gx13czcwMDZvcGVuc3VzZS5uYXBpdGVrbHRkLmNvbaOB1zCB1KADAgEQoQMCAQiigccEgcR2IXsQJ3QT2BrsljGKI5B/8U4klBk0SmYpwC1QM+vlrZRMDDOlJ9XjK0OG2ON98Fy
fP5//H7uBCE95m9Q1Vil8uSjh48WpH/YYENfn2zi8Qp17oq+w9XMynT6yei6ccReUCoeqt1d2IHU+8r/XebDUMt0QTKxJXuBQvCV1TV+yhBbZTsEYYBrxk14FVA7BRYUSzzNA+FCnPJ
EwR45YPHMVg4rJbCsvFyWKLKMRlwS1PaS8SuGW3sSzUA+NJQPyXwTpAQwDpIHKMIHHoAMCARCigb8Egbzs9q9g9hXsXe2JnIcWJP5BsOHoJavtKTborEs1TdK4SVwMk+tmW4UFhmD+V
cl/nTdZX/HSgz11hKhkCJNGH1hV/rkiTew/dverAWcsOHmuYEP8ChL77/3Wi/6BIlDX13846UTKCks1cFlQPBIiSt28HMKz/NeWCgbOWwBqOhEHz5cboq75zpgQJSIGCsUhVG5Y9b+A
NeFy/ifMfTmybUIKhQ21LRZfo/y0M2nw4Rqjqd7wR+tAVLbER0MjHA==

check the "krb5kdc.log", it shows a ticket issued to
"aclient" for "host/FQDN_mymachine at COMPANY.COM"

Aug 09 14:30:49 mymachinehostname krb5kdc[3911](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.8:
ISSUE: authtime 1186687823, etyp
es {rep=16 tkt=16 ses=16}, aclient at COMPANY.COM for
host/mymachinehostname.company.com at COMPANY.COM

not bad:)

--->>>copy and paste the line "C:..." to server window

got 'GSSAPI'
lt-sample-server: SASL Other: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more
information (Wrong principal in request)
lt-sample-server: Starting SASL negotiation:
authentication failure (authentication failure)

BUT there is NO log in "krb5kdc.log" for this error!

Note: There is no problem that DNS is set up right for
name look up and reverse lookup. And a FQDN is added
to /ect/hosts for the machine as well. There is no
problem that Kerberos works w/ pam_krb5 for login.

So, what could cause the problem. Any ideas?

Thanks!


       
____________________________________________________________________________________
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. 
http://mobile.yahoo.com/go?refer=1GNXIC


More information about the Cyrus-sasl mailing list