Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id 66A2E3E6EC; Thu, 31 Dec 2009 02:28:35 -0500 (EST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nBV7SZxx009535; Thu, 31 Dec 2009 02:28:35 -0500 Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nBV7SXDn009532 for ; Thu, 31 Dec 2009 02:28:33 -0500 Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id nBV7RnV4002259; Thu, 31 Dec 2009 02:27:49 -0500 (EST) Received: from squish.raeburn.org ([76.119.237.235]) (authenticated bits=0) (User authenticated as raeburn@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id nBV7SdV0028829 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 31 Dec 2009 02:28:39 -0500 (EST) Message-ID: <5D58605D-C413-498B-B195-64A1379B64AE@mit.edu> From: Ken Raeburn To: krb5-bugs@MIT.EDU Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Subject: "wrong principal in request" should name the principals MIME-Version: 1.0 (Apple Message framework v936) Date: Thu, 31 Dec 2009 02:28:27 -0500 References: <4B3B9CEA.6000904@kickflop.net> X-Mailer: Apple Mail (2.936) X-Scanned-BY: MIMEDefang 2.42 X-Spam-Flag: NO X-Spam-Score: 0.00 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu X-RT-Original-Encoding: us-ascii Content-Length: 789 From the kerberos@mit list: > sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) attempting > authentication as jblaine@FOO > sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) credential > verification failed: Wrong principal in request > sshd[12256]: Postponed gssapi-with-mic for jblaine from 192.168.1.240 > port 32812 ssh2 > sshd[12255]: debug1: Unspecified GSS failure. Minor code may provide > more information\nWrong principal in request\n It would be more informative if these messages said something like "Wrong principal in request (wanted 'foo@REALM', found 'bar@REALM')". The code sites generating the WRONG_PRINC error should call krb5_set_error_message and supply the additional detail needed for a sysadmin to debug the (presumed) configuration problem. Ken