kerberos ftpd bug? can't get it to work (New, sort of)

root jpalma78 at hotmail.com
Tue Oct 7 13:19:03 EDT 2003


how do you set the kdc to write to syslog?  Is it just setting all
daemons to log somewhere (i.e. *.debug     /tmp/syslog)?

btw, I am not changing the names in our configuration for my health or
due to personal paranoia.  Last time I posted something that had info
about our internal setup my boss wanted to kill me...so I guess I am
doing for my health, hmmm...Anyway, I realize it makes things more
difficult but I really do need and appreciate the help.  I tried to
depict the keytab and errors identical to reality with the exception
of the names being changed to protect the innocent (me from my boss).
So if the keytab says:

3 ftp/sleepy.seven.dwarfs.com at DISNEY

you can assume correctly that my keytab says :

3 ftp/my.real.domain.com at MYREALREALM

thanks again all...

deengert at anl.gov ("Douglas E. Engert") wrote in message news:<3F81D3E3.45EB89E2 at anl.gov>...
> One other thing to watch is the syslog of the KDC to see what ticket is 
> issed to the client which will be used with the server. This  might
> indicate what principal is being used.
> 
>  It might be that the krb5.conf [domain_realm] or DNS is assuming the 
> server is in a different realm.
> 
> 
> (It apears you are changing the names of the hosts and realm to try
> and be anonymous. This makes it harder to debug, as you may be hiding 
> a clue to the problem.)
> 
> root wrote:
> > 
> > Subject: kerberos ftpd bug? can't get it to work (New, sort of)
> > 
> > 
> > I posted this question a few weeks ago and got two responses asking me
> > to provide more accurate info about my setup.  So here it is.  I hope
> > this is good enough b/c this is as close as I am allowed to get to
> > reality...
> > 
> >  Does anyone know how to get ftp working on Kerberos V5.  I can
> > connect
> > > to the ftp server but I fail to authenticate.  I keep getting an error
> > > message that "No principal in keytab matches desired name".  But my
> > > keytab file appears correct.  In fact, telnet and rsh are working.
> > > The only thing that doesn't work is ftp.  I have tried removing the
> > > ftp entry from my keytab file (supposedly some versions of kerberos
> > > will not work with ftp/host; only host/host) and I connect using the
> > > FQDN (also heard ftp is qwerky about FQDNs) but I get exactly the same
> > > problems. I have tried everything and poured over all the docs I could
> > > get my hands on to no avail.  I suspect it's something stupid I am
> > > overlooking or maybe there's some obscure work around.  Anyway, my
> > > boss really wants this implemented and I am stumped.  Anyone out there
> > > got any ideas?  ANY HELP WILL BE GREATLY APPRECIATED!
> > >
> > > I PASTED THE ERROR AND MY KEYTAB FILE BELOW:
> > >
> > > root at dopey# /usr/kerberos/krb5-1.2.8/src/appl/gssftp/ftp/ftp
> > > sleepy.seven.dwarfs.com
> > > Connected to sleepy.seven.dwarfs.com
> > > 220 emssyb1 FTP server (Version 5.60) ready.
> > > 334 Using authentication type GSSAPI; ADAT must follow
> > > GSSAPI accepted as authentication type
> > > GSSAPI error major: Miscellaneous failure
> > > GSSAPI error minor: No principal in keytab matches desired name
> > > GSSAPI error: acquiring credentials
> > > GSSAPI ADAT failed
> > > GSSAPI authentication failed
> > >
> > > emssyb1:/>/usr/kerberos/krb5-1.2.8/src/clients/klist/klist -k
> > > Keytab name: FILE:/etc/krb5.keytab
> > > KVNO Principal
> > > ---- --------------------------------------------------------------------------
> > >    3 ftp/sleepy.seven.dwarfs.com at DISNEY
> > >    3 ftp/sleepy.seven.dwarfs.com at DISNEY
> > >    3 host/sleepy.seven.dwarfs.com at DISNEY
> > >    3 host/sleepy.seven.dwarfs.com at DISNEY
> > >    3 telnet/sleepy.seven.dwarfs.com at DISNEY
> > >    3 telnet/sleepy.seven.dwarfs.com at DISNEY
> > 
> > ...Now someone (Ken Hornstein) suggested that I turn on logging for
> > ftpd to log to the syslog.  This was supposed to give me more
> > information about the error.  I now have ftpd logging to syslog but no
> > new info; the same error is showing up in the syslog now.
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>  
> -- 
> 
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439 
>  (630) 252-5444
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


More information about the Kerberos mailing list