What happens if you use the full realm info? e.g., host/kdc.kerb.com@KERB.COM (or whatever your REALM is)? In my case I can’t get away without specifying the realm, but YMMV. I would use one of the principal names exactly as you’d see if you ran sudo klist -k /etc/krb5.keytab, and see if that gets you further.

-nh

On 12/9/05 2:38:46 AM, "sandy s" <sandypossible@gmail.com> wrote:

Hi all,

The OID null value issue ( seg fault ) was fixed  by adding the OID GSS_KRB5_NT_PRINCIPAL_NAME.

But I am getting different  error now : I have verified that it has valid key tab entries.

-Sandy.

2005-12-09 16:01:33: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
2005-12-09 16:01:33: DEBUG: trns#=1, trns-id=IKE
2005-12-09 16:01:33: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2005-12-09 16:01:33: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2005-12-09 16:01:33: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
2005-12-09 16:01:33: DEBUG: type=Authentication Method, flag=0x8000, lorv=GSS-API on Kerberos 5
2005-12-09 16:01:33: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
2005-12-09 16:01:33: DEBUG: type=Group Description, flag=0x8000, lorv=768-bit MODP group
2005-12-09 16:01:33: DEBUG: type=GSS-API endpoint name, flag=0x0000, lorv=38
2005-12-09 16:01:33: DEBUG: received gss id 'host/linux.kerb.com' (len 19)
2005-12-09 16:01:33: DEBUG: Compared: DB:Peer
2005-12-09 16:01:33: DEBUG: (lifetime = 86400:86400)
2005-12-09 16:01:33: DEBUG: (lifebyte = 0:0)
2005-12-09 16:01:33: DEBUG: enctype = 3DES-CBC:3DES-CBC
2005-12-09 16:01:33: DEBUG: (encklen = 0:0)
2005-12-09 16:01:33: DEBUG: hashtype = SHA:SHA
2005-12-09 16:01:33: DEBUG: authmethod = GSS-API on Kerberos 5:GSS-API on Kerberos 5
2005-12-09 16:01:33: DEBUG: dh_group = 768-bit MODP group:768-bit MODP group
2005-12-09 16:01:33: DEBUG: an acceptable proposal found.
2005-12-09 16:01:33: DEBUG: hmac(modp768)
2005-12-09 16:01:33: DEBUG: gss id in new sa 'host/kdc.kerb.com'
2005-12-09 16:01:33: DEBUG: GIi is host/kdc.kerb.com
2005-12-09 16:01:33: DEBUG: GIr is host/linux.kerb.com
2005-12-09 16:01:33: DEBUG: ===
2005-12-09 16:01:33: DEBUG: compute DH's private.
2005-12-09 16:01:33: DEBUG:
4096727f 8d3c7270 13f2ad13 f719dfa3 27f6b3c3 3ab5e936 3e54ca7a 04077549
0ed74901 310e8755 a964ad2c 2f78c4f5 4f295e97 9cf3d2a7 5ad6eaa5 25c47edb
51a7ac02 e198b331 5b5a7510 e3e0b931 5cdc7265 62e09800 2e4932b0 7bfcb507
2005-12-09 16:01:33: DEBUG: compute DH's public.
2005-12-09 16:01:33: DEBUG:
7cb00698 c952669e 460352ef c9317b97 3b5ca652 156b7ffc c24e503d 0e38a707
898e84cc b074e811 538951ce b63c0c4d 8bedb68b ff4f4c8b 3bbf73b4 7b2263bf
a375ad79 96c4dc6b a1d12b0d 7840460d 93af15d5 058797c2 c654f9a1 5a36d30a
2005-12-09 16:01:33: ERROR: acquire cred
2005-12-09 16:01:33: ERROR: No principal in keytab matches desired name
2005-12-09 16:01:33: ERROR: failed to process packet.
2005-12-09 16:01:33: ERROR: phase1 negotiation failed.
2005-12-09 16:01:41: DEBUG: ===
2005-12-09 16:01:41: DEBUG: 126 bytes message received from 192.168.1.122[500] to 192.168.1.121[500]
2005-12-09 16:01:41: DEBUG:
dea111ae ad9f60f7 d6776bea b2d436c9 01100200 00000000 0000007e 00000062
00000001 00000001 00000056 01010001 0000004e 01010000 800b0001 000c0004
00015180 80010005 8003fde9 80020002 80040001 40000026 68006f00 73007400
2f006c00 69006e00 75007800 2e006b00 65007200 62002e00 63006f00 6d00




--
Nathan Herring
MacBU SDE/Development