From the kerberos@mit list: > sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) attempting > authentication as jblaine@FOO > sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) credential > verification failed: Wrong principal in request > sshd[12256]: Postponed gssapi-with-mic for jblaine from 192.168.1.240 > port 32812 ssh2 > sshd[12255]: debug1: Unspecified GSS failure. Minor code may provide > more information\nWrong principal in request\n It would be more informative if these messages said something like "Wrong principal in request (wanted 'foo@REALM', found 'bar@REALM')". The code sites generating the WRONG_PRINC error should call krb5_set_error_message and supply the additional detail needed for a sysadmin to debug the (presumed) configuration problem. Ken