Wednesday, March 28, 2007

Miscellaneous failure No principal in keytab matches desired name

I was getting this error in the server logs when trying to ssh into a kerberos enabled box and although my ssh client was getting a principal for the machine host/machine.ox.ac.uk@OX.AC.UK I wasn't getting logged in. Now looking on the net it seemed that it was likely that I didn't have the matching principal in the keytab file. But a klist -k /etc/krb5.keytab showed all the correct keys. The next thing I checked was that the DNS records matched host machine.ox.ac.uk and host 192.0.2.0. After running round in circles I checked /etc/hosts to find the line 192.0.2.0 machine and because my machine used the hosts file before DNS it was looking for the principal host/machine@OX.AC.UK which of course didn't exist.

This whole saga would have been much easier to debug if the error message had just included the principal that wasn't present in the keytab file. The machine was a server Ubuntu 6.10 install. Strangely it seems that my desktop Ubuntu machine has the machine name only associated with 127.0.0.1 and not the external IP, although this machine uses DHCP to get its IP.

4 comments:

Matthias said...

Had the same unclear message in my logs. In my case it was the problem was not having a proper [domain_realm] section in krb5.conf

Anonymous said...

Thanks Matthias! Something with name resolution seems to be screwed on my mod_auth_kerb server and adding appropriate [domain_realm]s did the trick!

Anonymous said...

Thank you very much for that hint! I have been bugged by this "bug" on my Ubuntu system. On redhat it worked, but I couldn't figure out myself what the difference was between the two systems.... Anyways: Big Thanks man! :-)

Stefano Argiro said...

Thanks soooo much ! I was about to go crazy