kerberos ftpd bug? can't get it to work (New, sort of)

Douglas E. Engert deengert at anl.gov
Tue Oct 7 14:50:28 EDT 2003



root wrote:
> 
> how do you set the kdc to write to syslog?  Is it just setting all
> daemons to log somewhere (i.e. *.debug     /tmp/syslog)?

See the documentation on the kdc.conf its in the doc directory, or on the web:
http://web.mit.edu/kerberos/krb5-1.3/krb5-1.3.1/doc/krb5-admin.html#kdc.conf
or the sample:
http://web.mit.edu/kerberos/krb5-1.3/krb5-1.3.1/doc/krb5-admin.html#Sample%20kdc.conf%20File

This logs to a file, but you can use syslog.

> 
> btw, I am not changing the names in our configuration for my health or
> due to personal paranoia.  Last time I posted something that had info
> about our internal setup my boss wanted to kill me...so I guess I am
> doing for my health, hmmm...Anyway, I realize it makes things more
> difficult but I really do need and appreciate the help. 

Unfortunatly your e-mail address is also not valid, so I assume you 
must be reading the list using some other name. So I can not contact you
personally.

> I tried to
> depict the keytab and errors identical to reality with the exception
> of the names being changed to protect the innocent (me from my boss).

Well then you and your boss are on your own. Sorry I can help more.


> So if the keytab says:
> 
> 3 ftp/sleepy.seven.dwarfs.com at DISNEY
> 
> you can assume correctly that my keytab says :
> 
> 3 ftp/my.real.domain.com at MYREALREALM

The point is there is a relation between how a client determines the 
realm of a host. If you hid the real domain and real ream name, one 
can not determine if your problem is caused by your changing the 
names or something else. 


> 
> thanks again all...
> 
> deengert at anl.gov ("Douglas E. Engert") wrote in message news:<3F81D3E3.45EB89E2 at anl.gov>...
> > One other thing to watch is the syslog of the KDC to see what ticket is
> > issed to the client which will be used with the server. This  might
> > indicate what principal is being used.
> >
> >  It might be that the krb5.conf [domain_realm] or DNS is assuming the
> > server is in a different realm.

You did not indicate if this was set correctly.

> >
> >
> > (It apears you are changing the names of the hosts and realm to try
> > and be anonymous. This makes it harder to debug, as you may be hiding
> > a clue to the problem.)
> >
> > root wrote:
> > >
> > > Subject: kerberos ftpd bug? can't get it to work (New, sort of)
> > >
> > >
> > > I posted this question a few weeks ago and got two responses asking me
> > > to provide more accurate info about my setup.  So here it is.  I hope
> > > this is good enough b/c this is as close as I am allowed to get to
> > > reality...
> > >
> > >  Does anyone know how to get ftp working on Kerberos V5.  I can
> > > connect
> > > > to the ftp server but I fail to authenticate.  I keep getting an error
> > > > message that "No principal in keytab matches desired name".  But my
> > > > keytab file appears correct.  In fact, telnet and rsh are working.
> > > > The only thing that doesn't work is ftp.  I have tried removing the
> > > > ftp entry from my keytab file (supposedly some versions of kerberos
> > > > will not work with ftp/host; only host/host) and I connect using the
> > > > FQDN (also heard ftp is qwerky about FQDNs) but I get exactly the same
> > > > problems. I have tried everything and poured over all the docs I could
> > > > get my hands on to no avail.  I suspect it's something stupid I am
> > > > overlooking or maybe there's some obscure work around.  Anyway, my
> > > > boss really wants this implemented and I am stumped.  Anyone out there
> > > > got any ideas?  ANY HELP WILL BE GREATLY APPRECIATED!
> > > >
> > > > I PASTED THE ERROR AND MY KEYTAB FILE BELOW:
> > > >
> > > > root at dopey# /usr/kerberos/krb5-1.2.8/src/appl/gssftp/ftp/ftp
> > > > sleepy.seven.dwarfs.com
> > > > Connected to sleepy.seven.dwarfs.com
> > > > 220 emssyb1 FTP server (Version 5.60) ready.
> > > > 334 Using authentication type GSSAPI; ADAT must follow
> > > > GSSAPI accepted as authentication type
> > > > GSSAPI error major: Miscellaneous failure
> > > > GSSAPI error minor: No principal in keytab matches desired name
> > > > GSSAPI error: acquiring credentials
> > > > GSSAPI ADAT failed
> > > > GSSAPI authentication failed
> > > >
> > > > emssyb1:/>/usr/kerberos/krb5-1.2.8/src/clients/klist/klist -k
> > > > Keytab name: FILE:/etc/krb5.keytab
> > > > KVNO Principal
> > > > ---- --------------------------------------------------------------------------
> > > >    3 ftp/sleepy.seven.dwarfs.com at DISNEY
> > > >    3 ftp/sleepy.seven.dwarfs.com at DISNEY
> > > >    3 host/sleepy.seven.dwarfs.com at DISNEY
> > > >    3 host/sleepy.seven.dwarfs.com at DISNEY
> > > >    3 telnet/sleepy.seven.dwarfs.com at DISNEY
> > > >    3 telnet/sleepy.seven.dwarfs.com at DISNEY
> > >
> > > ...Now someone (Ken Hornstein) suggested that I turn on logging for
> > > ftpd to log to the syslog.  This was supposed to give me more
> > > information about the error.  I now have ftpd logging to syslog but no
> > > new info; the same error is showing up in the syslog now.
> > > ________________________________________________
> > > Kerberos mailing list           Kerberos at mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> > --
> >
> >  Douglas E. Engert  <DEEngert at anl.gov>
> >  Argonne National Laboratory
> >  9700 South Cass Avenue
> >  Argonne, Illinois  60439
> >  (630) 252-5444
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list