Skip Menu |

From: Ken Raeburn <raeburn@MIT.EDU>
To: krb5-bugs@MIT.EDU
Subject: "wrong principal in request" should name the principals
Date: Thu, 31 Dec 2009 02:28:27 -0500
From the kerberos@mit list:

Show quoted text
> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) attempting
> authentication as jblaine@FOO
> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) credential
> verification failed: Wrong principal in request

Show quoted text
> sshd[12256]: Postponed gssapi-with-mic for jblaine from
> port 32812 ssh2
> sshd[12255]: debug1: Unspecified GSS failure. Minor code may provide
> more information\nWrong principal in request\n

It would be more informative if these messages said something like
"Wrong principal in request (wanted 'foo@REALM', found 'bar@REALM')".
The code sites generating the WRONG_PRINC error should call
krb5_set_error_message and supply the additional detail needed for a
sysadmin to debug the (presumed) configuration problem.