kerberos ftpd bug? can't get it to work (New, sort of)

root jpalma78 at hotmail.com
Mon Oct 6 08:30:58 EDT 2003 

Subject: kerberos ftpd bug? can't get it to work (New, sort of)  
  

I posted this question a few weeks ago and got two responses asking me
to provide more accurate info about my setup.  So here it is.  I hope
this is good enough b/c this is as close as I am allowed to get to
reality...

 Does anyone know how to get ftp working on Kerberos V5.  I can
connect
> to the ftp server but I fail to authenticate.  I keep getting an error
> message that "No principal in keytab matches desired name".  But my
> keytab file appears correct.  In fact, telnet and rsh are working.
> The only thing that doesn't work is ftp.  I have tried removing the
> ftp entry from my keytab file (supposedly some versions of kerberos
> will not work with ftp/host; only host/host) and I connect using the
> FQDN (also heard ftp is qwerky about FQDNs) but I get exactly the same
> problems. I have tried everything and poured over all the docs I could
> get my hands on to no avail.  I suspect it's something stupid I am
> overlooking or maybe there's some obscure work around.  Anyway, my
> boss really wants this implemented and I am stumped.  Anyone out there
> got any ideas?  ANY HELP WILL BE GREATLY APPRECIATED!
> 
> I PASTED THE ERROR AND MY KEYTAB FILE BELOW:
> 
> root at dopey# /usr/kerberos/krb5-1.2.8/src/appl/gssftp/ftp/ftp
> sleepy.seven.dwarfs.com
> Connected to sleepy.seven.dwarfs.com
> 220 emssyb1 FTP server (Version 5.60) ready.
> 334 Using authentication type GSSAPI; ADAT must follow
> GSSAPI accepted as authentication type
> GSSAPI error major: Miscellaneous failure
> GSSAPI error minor: No principal in keytab matches desired name
> GSSAPI error: acquiring credentials
> GSSAPI ADAT failed
> GSSAPI authentication failed
> 
> emssyb1:/>/usr/kerberos/krb5-1.2.8/src/clients/klist/klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    3 ftp/sleepy.seven.dwarfs.com at DISNEY
>    3 ftp/sleepy.seven.dwarfs.com at DISNEY
>    3 host/sleepy.seven.dwarfs.com at DISNEY
>    3 host/sleepy.seven.dwarfs.com at DISNEY
>    3 telnet/sleepy.seven.dwarfs.com at DISNEY
>    3 telnet/sleepy.seven.dwarfs.com at DISNEY



...Now someone (Ken Hornstein) suggested that I turn on logging for
ftpd to log to the syslog.  This was supposed to give me more
information about the error.  I now have ftpd logging to syslog but no
new info; the same error is showing up in the syslog now.

More information about the Kerberos mailing list