SSH Kerberos authentication fails with "Wrong principal in request/Got no client credentials" on debian squeeze
In the sample output I see that you got a key for a debian-squeeze
-- a hostname without any dots in it. This does kind of prove that you set up your reverse resolution to point to the short name. Is that really a non-FQDN name that you see, or was it edited for the question?
Kerberos should work with either, but you may to double check that the host itself thinks it is called debian-squeeze
. Check that the forward -> reverse lookup inside debian-squeeze
really resolves to debian-squeeze
:
$ getent hosts $(hostname) | awk '{print $1; exit}' | xargs getent hosts | awk '{print $2}'
I haven't really heard of Kerberos being deployed with short names, so if you have a choice, it may be a good idea to stick with FQDNs.
Update:
The client is currently getting a key for the short name, but the server thinks it is properly named with a long name. Most likely the issue is there. Just to be sure, try the following:
Check the forward/reverse name lookup from the client. I.e.
$ getent hosts debian-squeeze | awk '{print $1; exit}' | xargs getent hosts | awk '{print $2}'
The returned name is the one that the client will try to get a ticket for. Judging by your output, this is probably the short name.
Check what keys are present on the server.
$ sudo klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/debian-squeeze.realm@REALM 1 host/debian-squeeze.realm@REALM 1 host/debian-squeeze.realm@REALM 1 host/debian-squeeze.realm@REALM ...
In the list you should see a principal matching the hostname from the previous command. If it's not there, then that's your problem. If it is there...
Verify the key version on the kerberos server is the same as the one on
debian-squeeze
. On the client, get a key explicitly and verify the "KVNO" version at the end of the line:$ kvno host/debian-squeeze.realm host/debian-squeeze.realm@REALM: kvno = 1
At any rate, the hostname and "kvno" version in all these commands should match.
Related videos on Youtube
![Florian Schmidt](https://i.stack.imgur.com/pCD2b.png?s=256&g=1)
Florian Schmidt
Updated on September 18, 2022Comments
-
Florian Schmidt almost 2 years
im trying to add new contacts to the phone but he does only the first 12 items. i want to try all current 36 items and maybe more add to the phone contacts.
while ((line = bufferedReader.readLine()) != null) { System.out.println("[[DEBUG]] [DW-UPDATE] LINE: " + line); String[] split = line.split(";", -1); split[2] = split[2].replace("/", "").replace("-", ""); if (!contactExists(mActivity, split[2])) { ops.add(ContentProviderOperation.newInsert(ContactsContract.RawContacts.CONTENT_URI) .withValue(ContactsContract.RawContacts.ACCOUNT_TYPE, null) .withValue(ContactsContract.RawContacts.ACCOUNT_NAME, null) .withValue(ContactsContract.RawContacts.AGGREGATION_MODE, ContactsContract.RawContacts.AGGREGATION_MODE_DISABLED) .build()); ops.add(ContentProviderOperation.newInsert(ContactsContract.Data.CONTENT_URI) .withValueBackReference(ContactsContract.Data.RAW_CONTACT_ID, Integer.valueOf(split[0])) .withValue(ContactsContract.Data.MIMETYPE, ContactsContract.CommonDataKinds.StructuredName.CONTENT_ITEM_TYPE) .withValue(ContactsContract.CommonDataKinds.StructuredName.DISPLAY_NAME, split[1]) .build()); ops.add(ContentProviderOperation.newInsert(ContactsContract.Data.CONTENT_URI) .withValueBackReference(ContactsContract.Data.RAW_CONTACT_ID, Integer.valueOf(split[0])) .withValue(ContactsContract.Data.MIMETYPE, ContactsContract.CommonDataKinds.Phone.CONTENT_ITEM_TYPE) .withValue(ContactsContract.CommonDataKinds.Phone.NUMBER, split[2]) .withValue(ContactsContract.CommonDataKinds.Phone.TYPE,ContactsContract.CommonDataKinds.Phone.TYPE_MOBILE) .build()); try { mActivity.getContentResolver().applyBatch(ContactsContract.AUTHORITY, ops); } catch (Exception e) { e.printStackTrace(); } } }
function contactExists:
public boolean contactExists(Activity _activity, String number) { Uri lookupUri = Uri.withAppendedPath(ContactsContract.PhoneLookup.CONTENT_FILTER_URI, Uri.encode(number)); String[] mPhoneNumberProjection = { ContactsContract.PhoneLookup._ID, ContactsContract.PhoneLookup.NUMBER, ContactsContract.PhoneLookup.DISPLAY_NAME }; Cursor cur = _activity.getContentResolver().query(lookupUri, mPhoneNumberProjection, null, null, null); try { if (cur.moveToFirst()) { return true; } } finally { if (cur != null) cur.close(); } return false; }// contactExists
what i must do, to work this better?
-
Michael Dodd over 6 yearsJust to confirm, how many times are you seeing
[[DEBUG]] [DW-UPDATE] LINE:
appear? I'd also recommend usingLog.d()
instead to print log messages to Android's Logcat. -
Florian Schmidt over 6 yearsall 36 items print the message. What is the different between Log.d and System.out ?
-
Michael Dodd over 6 years
System.out
, traditionally for logging to the Java console, gets redirected toLog.i()
in more recent versions of Android, but previously it didn't get picked up by Android's logging toolLogcat
. UsingLog
ensures that logging messages are passed to logcat. See also: stackoverflow.com/a/2220559/469080 -
Michael Dodd over 6 yearsUsing
Log
also allows for different logging levels based on the severity of what you're logging (e.g. debug message, warning, error) -
Michael Dodd over 6 yearsI have a feeling you're using the wrong back reference. Just after your
if
statement, addint backref = ops.size();
, and usebackref
instead ofsplit[0]
. Not confident enough to call it an answer, but give it a go. -
Florian Schmidt over 6 yearsoh thanks you. that was my mistake. it works perfect!
-
Michael Dodd over 6 yearsCheers, full answer added. Please upvote and accept if you find it useful.
-
-
b0ti over 11 yearsDNS is fine. Only localhost entries in /etc/hosts.
-
b0ti over 11 yearsThe host is called 'debian-squeeze' as returned by
hostname
. The IP maps back to FQDN, so the command you gave returns 'debian-squeeze.realm'. As a side-note: I have two keys set up for this host, one for the fqdn and one for the short name. Could this be messing up? -
chutz over 11 yearsVery well, I updated my answer with further things you should check. It is most likely a short name / FQDN confusion.
-
b0ti over 11 yearsThanks a lot! My problem was indeed caused by the extra key with the short hostname. I just wish it would be easier to debug such issues so that the logs indicate what the problematic principal is.