FTP - GSSAPI Error acquiring credentials

Pierre Goyette pierre at montreal.hcl.com
Tue Jun 8 13:26:06 EDT 2004 

I have a Solaris box with MIT Kerberos 1.3.3 installed as an application
server which is part of a Windows 2000 KDC.
 
I can perform a kerberized telnet to the box perfectly. However, I
cannot ftp to the box. In my system log (and I enabled debugging for
ftpd), I see:
 
Jun  8 12:51:04 ultra ftpd[1062]: [ID 291755 daemon.info] importing
<ftp at ultra>
Jun  8 12:51:04 ultra ftpd[1062]: [ID 291755 daemon.info] importing
<host at ultra>
Jun  8 12:51:04 ultra ftpd[1062]: [ID 399347 daemon.error] gssapi error
acquiring credentials

A Ethereal trace shows the client receiving a 501-GSSAPI error minor: no
principal in keytab matches desired name.
 
ktutil on the host shows:
 
# ktutil 
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
   1    1
host/ultra.mtlw2ktest.montreal.hcl.com at MTLW2KTEST.MONTREAL.HCL.COM
   2    1
ftp/ultra.mtlw2ktest.montreal.hcl.com at MTLW2KTEST.MONTREAL.HCL.COM

On my client, I properly acquire all the right tickets, klist -e shows:
 
Ticket cache: API:krb5cc
Default principal: pierre at MTLW2KTEST.MONTREAL.HCL.COM
Valid starting Expires Service principal
06/08/04 08:01:18 06/08/04 18:01:18
krbtgt/MTLW2KTEST.MONTREAL.HCL.COM at MTLW2KTEST.MONTREAL.HCL.COM
renew until 06/15/04 08:01:18, Etype (skey, tkt): ArcFour with HMAC/md5,
ArcFour with HMAC/md5
06/08/04 12:04:48 06/08/04 18:01:18
host/ultra.mtlw2ktest.montreal.hcl.com at MTLW2KTEST.MONTREAL.HCL.COM
renew until 06/15/04 08:01:18, Etype (skey, tkt): DES cbc mode with
RSA-MD5, DES cbc mode with RSA-MD5
06/08/04 12:05:47 06/08/04 18:01:18
ftp/ultra.mtlw2ktest.montreal.hcl.com at MTLW2KTEST.MONTREAL.HCL.COM
renew until 06/15/04 08:01:18, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32 
Kerberos 4 ticket cache: API:krb4cc
 
On my FTP client, I tried using either 'host' or 'ftp' as the GSS
Service Name and still get the same error.
 
What could be the problem?
 
TIA,
 
Pierre Goyette

More information about the Kerberos mailing list