kerberos ftpd bug? can't get it to work (New, sort of)

Douglas E. Engert deengert at anl.gov
Mon Oct 6 16:43:15 EDT 2003 

One other thing to watch is the syslog of the KDC to see what ticket is 
issed to the client which will be used with the server. This  might
indicate what principal is being used.  

 It might be that the krb5.conf [domain_realm] or DNS is assuming the 
server is in a different realm.


(It apears you are changing the names of the hosts and realm to try
and be anonymous. This makes it harder to debug, as you may be hiding 
a clue to the problem.)

root wrote:
> 
> Subject: kerberos ftpd bug? can't get it to work (New, sort of)
> 
> 
> I posted this question a few weeks ago and got two responses asking me
> to provide more accurate info about my setup.  So here it is.  I hope
> this is good enough b/c this is as close as I am allowed to get to
> reality...
> 
>  Does anyone know how to get ftp working on Kerberos V5.  I can
> connect
> > to the ftp server but I fail to authenticate.  I keep getting an error
> > message that "No principal in keytab matches desired name".  But my
> > keytab file appears correct.  In fact, telnet and rsh are working.
> > The only thing that doesn't work is ftp.  I have tried removing the
> > ftp entry from my keytab file (supposedly some versions of kerberos
> > will not work with ftp/host; only host/host) and I connect using the
> > FQDN (also heard ftp is qwerky about FQDNs) but I get exactly the same
> > problems. I have tried everything and poured over all the docs I could
> > get my hands on to no avail.  I suspect it's something stupid I am
> > overlooking or maybe there's some obscure work around.  Anyway, my
> > boss really wants this implemented and I am stumped.  Anyone out there
> > got any ideas?  ANY HELP WILL BE GREATLY APPRECIATED!
> >
> > I PASTED THE ERROR AND MY KEYTAB FILE BELOW:
> >
> > root at dopey# /usr/kerberos/krb5-1.2.8/src/appl/gssftp/ftp/ftp
> > sleepy.seven.dwarfs.com
> > Connected to sleepy.seven.dwarfs.com
> > 220 emssyb1 FTP server (Version 5.60) ready.
> > 334 Using authentication type GSSAPI; ADAT must follow
> > GSSAPI accepted as authentication type
> > GSSAPI error major: Miscellaneous failure
> > GSSAPI error minor: No principal in keytab matches desired name
> > GSSAPI error: acquiring credentials
> > GSSAPI ADAT failed
> > GSSAPI authentication failed
> >
> > emssyb1:/>/usr/kerberos/krb5-1.2.8/src/clients/klist/klist -k
> > Keytab name: FILE:/etc/krb5.keytab
> > KVNO Principal
> > ---- --------------------------------------------------------------------------
> >    3 ftp/sleepy.seven.dwarfs.com at DISNEY
> >    3 ftp/sleepy.seven.dwarfs.com at DISNEY
> >    3 host/sleepy.seven.dwarfs.com at DISNEY
> >    3 host/sleepy.seven.dwarfs.com at DISNEY
> >    3 telnet/sleepy.seven.dwarfs.com at DISNEY
> >    3 telnet/sleepy.seven.dwarfs.com at DISNEY
> 
> ...Now someone (Ken Hornstein) suggested that I turn on logging for
> ftpd to log to the syslog.  This was supposed to give me more
> information about the error.  I now have ftpd logging to syslog but no
> new info; the same error is showing up in the syslog now.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list