From: | Ken Raeburn <raeburn@MIT.EDU> |
To: | krb5-bugs@MIT.EDU |
Subject: | "wrong principal in request" should name the principals |
Date: | Thu, 31 Dec 2009 02:28:27 -0500 |
From the kerberos@mit list:
It would be more informative if these messages said something like
"Wrong principal in request (wanted 'foo@REALM', found 'bar@REALM')".
The code sites generating the WRONG_PRINC error should call
krb5_set_error_message and supply the additional detail needed for a
sysadmin to debug the (presumed) configuration problem.
Ken
Show quoted text
> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) attempting
> authentication as jblaine@FOO
> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) credential
> verification failed: Wrong principal in request
> authentication as jblaine@FOO
> sshd[12234]: pam_krb5RA(sshd:auth): (user jblaine) credential
> verification failed: Wrong principal in request
Show quoted text
> sshd[12256]: Postponed gssapi-with-mic for jblaine from 192.168.1.240
> port 32812 ssh2
> sshd[12255]: debug1: Unspecified GSS failure. Minor code may provide
> more information\nWrong principal in request\n
> port 32812 ssh2
> sshd[12255]: debug1: Unspecified GSS failure. Minor code may provide
> more information\nWrong principal in request\n
It would be more informative if these messages said something like
"Wrong principal in request (wanted 'foo@REALM', found 'bar@REALM')".
The code sites generating the WRONG_PRINC error should call
krb5_set_error_message and supply the additional detail needed for a
sysadmin to debug the (presumed) configuration problem.
Ken