Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 01-04-2012, 02:15 AM   #1
LQ Newbie
Registered: Oct 2010
Location: Tallinn
Distribution: CentOS 5.5
Posts: 18

Rep: Reputation: 1
Wrong principal in request (Kerberos/GSSAPI/ssh/Debian)

I've set up two VMs on an "internal" (in VirtualBox meaning) network, one being a DNS server ( and the other - a KDC and Kerberos admin server ( The default and the only realm is EXAMPLE.COM. Both machines use freshly installed Debian Squeeze.

The problem: I can login via ssh on from, but I can't login via ssh from

On, sshd in debug mode says:

debug1: Unspecified GSS failure.  Minor code may provide more information
Wrong principal in request

debug1: Got no client credentials
debug3: mm_request_send entering: type 41
debug3: mm_request_receive entering
debug1: userauth-request for user tom service ssh-connection method gssapi-with-mic
debug1: attempt 2 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
debug1: userauth-request for user tom service ssh-connection method gssapi-with-mic
debug1: attempt 3 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
at which point the client is asked for a password. A tcpdump file processed by Wireshark shows there has been some exchange of crypted packets, but I can't deduct more as they are, well, crypted . After 2 days of googling I'm stuck and would appreciate any help.

Even more would I appreciate any advice /links/hints on a general sane configuration debugging strategy, when it comes to Kerberos and friends. For example, I'm out of ideas where to look for what's wrong with 'Wrong principal', and what is that principal the server receives instead of the right one. Something tells me the real adventures are yet to come .

Below are configs and diagnostic outputs. Hope I haven't forgot anything.

kdc:~# cat /etc/krb5kdc/kdc.conf 
    kdc_ports = 750,88

        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
kdc:~# kadmin.local -q 'listprincs'
Authenticating as principal root/admin@EXAMPLE.COM with password.
kdc:~# cat /etc/ssh/sshd_config |grep '^[^#]'
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
/etc/krb5.conf is identical on both kdc and dns1.
dns1:~$ cat /etc/krb5.conf 
    default_realm = EXAMPLE.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true 
    forwardable = true
        admin_server =
[domain_realm] = EXAMPLE.COM = EXAMPLE.COM
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log
The TGT is forwardable. On ssh client:
dns1:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: tom@EXAMPLE.COM

Valid starting     Expires            Service principal
01/03/12 20:00:03  01/04/12 06:00:03  krbtgt/EXAMPLE.COM@EXAMPLE.COM
    renew until 01/04/12 20:00:00, Flags: FRIA
01/03/12 20:00:21  01/04/12 06:00:03  host/
    renew until 01/04/12 20:00:00, Flags: FRAT
Keytab does also seem to be OK:

dns1:~# klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 host/
   5 host/
   5 host/
   5 host/
DNS (incl. PTR, TXT, SRV) works as it should.

dns1:~# cat /var/cache/bind/ 
$TTL    86400
@   IN  SOA (
            2012010301  ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
              86400 )   ; Negative Cache TTL
@   IN  NS
dns1    IN  A
www IN  A
mail    IN  A
fed IN  A

kdc IN  A
;kds    IN  A

_kerberos   TXT "EXAMPLE.COM"

krb IN  CNAME   kdc

_kerberos._udp      SRV 0 0 88  kdc
_kerberos-master._udp   SRV 0 0 88  kdc
_kerberos-adm._tcp  SRV 0 0 749 kdc
_kpasswd._udp       SRV 0 0 464 kdc

dns1:~# cat /var/cache/bind/ 
$TTL    86400
@   IN  SOA (
            2012010102  ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
              86400 )   ; Negative Cache TTL
@   IN  NS
2   IN  PTR
3   IN  PTR

8   IN  PTR
9   IN  PTR
Old 01-04-2012, 06:30 AM   #2
LQ Newbie
Registered: Oct 2010
Location: Tallinn
Distribution: CentOS 5.5
Posts: 18

Original Poster
Rep: Reputation: 1
Talking Solved

I have to be more attentive. There was a line left in /etc/hosts resolving to FQDN (now commented out):
kdc:~$ cat /etc/hosts   localhost
# kdc kdc
After purging the related principals from DB and keytab and restarting both VMs, everything works as desired. Ufff...

Last edited by Toomas; 01-04-2012 at 06:31 AM.


kerberos, ssh remote, sshd

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password) scman64 Linux - Newbie 1 12-13-2011 12:20 AM
[SOLVED] kerberos SSO: ssh not trying gssapi-with-mic doqc1 Linux - Software 1 08-22-2011 04:04 AM
ssh and kerberos error: Server not found in Kerberos database Felipe Linux - Server 1 01-17-2011 03:12 AM
LDAP bind trouble via Kerb/SASL/GSSAPI- principal name mangled riemann_noodles Linux - Server 0 07-09-2008 01:08 PM
Cannot delete expired principal from kerberos system, how delete principals in kerber sarajevo Linux - Security 0 10-19-2007 11:23 AM

All times are GMT -5. The time now is 06:09 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration