Kerberos5 NAT and kftp

Protima Chhabra pchhabra at
Fri Nov 22 11:39:10 EST 2002


I have a Kerberos client sitting behind a firewall doing NAT. I have 
patched my client and added the proxy gateway to my configuration file, as 
explained in the document below

I can get a ticket, get ktelnet to work with an error message, but kftp 
does not work, as shown below. Can someone tell me what is it that I am 
doing wrong.


kclient101% klist
Ticket cache: /tmp/krb5cc_11617
Default principal: user at SUB.KRB.COM

Valid starting     Expires            Service principal
11/14/02 19:06:17  11/15/02 05:06:15  krbtgt/SUB.KRB.COM at SUB.KRB.COM

kclient102% ktelnet opal0-gx.main.KRB.COM
Trying Connected to opal0-gx.main.KRB.COM
( Escape character is '^]'. [ Kerberos V5 accepts you as
``user at SUB.KRB.COM'' ] [ Kerberos V5 refuses forwarded credentials because
Read forwarded creds failed: Incorrect net address ] Last login: Thu Nov 14
17:58:26 from
opal0> exit
opal0> logout
Connection closed by foreign host.

kclient103% kftp opal0-gx.main.KRB.COM
Connected to opal0-gx.main.KRB.COM.
220 opal0 FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: Incorrect channel bindings were supplied
GSSAPI error minor: No error
GSSAPI error: accepting context
GSSAPI authentication failed
Name (opal0.main.KRB.COM:user):
530 User user access denied: authentication required.
Login failed.
Remote system type is UNKNOWN.
ftp> bye
221 Goodbye.


More information about the Kerberos mailing list