On 03/01/2012 02:24 PM, Jan Zelený wrote:

On 03/01/2012 02:04 PM, Jan Zelený wrote:

On 03/01/2012 12:21 PM, Ondrej Valousek wrote:

Hello,

I am running sssd on RHEL-6 with AD and recently found out, that I can
no longer authenticate via ssh. The message is:
pam_krb5[27045]: TGT failed verification using keytab and key for
'nfs/draco.prague.s3group.com@DUBLIN.AD.S3GROUP.COM': Wrong principal
in request

My krb5.keytab file has been created using Samba with "net ads join".
I can still run 'kinit<username>' to obtain a TGT.

Does anyone know what is going on here? Why is sshd verifying the TGT
via just the nfs/ service principal?

Sorry for a bit off-topic question, but I hoped someone in this list
might point me in the right direction.

Ondrej

Note that with:
kinit -S nfs/draco.prague.s3group.com@DUBLIN.AD.S3GROUP.COM ondrejv

I am able to successfully obtain the nfs/ principal - so it looks like a
bug in pam_krb5, right?

You should also try kinit -k to see if kinit with the keytab is ok.

Thanks
Jan

kinit -k -S nfs/draco.prague.s3group.com@DUBLIN.AD.S3GROUP.COM draco$
works fine, too.

So I am probably going to file a bugreport, right?

Just to be sure, try klist -k and send me the result.

Thanks
Jan

Just a plain kinit -k does not work here:
[root@draco ~]# kinit -k
kinit: Client 'host/draco.prague.s3group.com@DUBLIN.AD.S3GROUP.COM' not found in Kerberos database while getting initial credentials

... but this is pretty much normal as I am using AD based KDC.
This works fine though:

[root@draco ~]# kinit -k draco$

Another strange thing is that sshd complains when I attempt to log in via GSSAPI & existing Kerberos TGT. It says:

debug1: Unspecified GSS failure. Minor code may provide more information
No key table entry found for host/draco.prague.s3group.com@DUBLIN.AD.S3GROUP.COM

But again,

kinit -S host/draco.prague.s3group.com@DUBLIN.AD.S3GROUP.COM ondrejv

Works just fine (just need to type my password).

Ondrej