FTP - GSSAPI Error acquiring credentials

Markus Moeller huaraz at btinternet.com
Tue Jun 8 14:22:49 EDT 2004 

Pierre,

The server tries to import ftp at ultra whereas the keytab I assume has
ftp/ultra.mtlw2ktest.montreal.hcl.com.
Check /etc/hosts and replacae ultra for ultra.mtlw2ktest.montreal.hcl.com

Regards
Markus

"Pierre Goyette" <pierre at montreal.hcl.com> wrote in message
news:88C8B14D74194F409F0E4AEC20DF2284074CB5 at MTLFS1.montreal.hcl.com...
I have a Solaris box with MIT Kerberos 1.3.3 installed as an application
server which is part of a Windows 2000 KDC.

I can perform a kerberized telnet to the box perfectly. However, I
cannot ftp to the box. In my system log (and I enabled debugging for
ftpd), I see:

Jun  8 12:51:04 ultra ftpd[1062]: [ID 291755 daemon.info] importing
<ftp at ultra>
Jun  8 12:51:04 ultra ftpd[1062]: [ID 291755 daemon.info] importing
<host at ultra>
Jun  8 12:51:04 ultra ftpd[1062]: [ID 399347 daemon.error] gssapi error
acquiring credentials

A Ethereal trace shows the client receiving a 501-GSSAPI error minor: no
principal in keytab matches desired name.

ktutil on the host shows:

# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
   1    1
host/ultra.mtlw2ktest.montreal.hcl.com at MTLW2KTEST.MONTREAL.HCL.COM
   2    1
ftp/ultra.mtlw2ktest.montreal.hcl.com at MTLW2KTEST.MONTREAL.HCL.COM

On my client, I properly acquire all the right tickets, klist -e shows:

Ticket cache: API:krb5cc
Default principal: pierre at MTLW2KTEST.MONTREAL.HCL.COM
Valid starting Expires Service principal
06/08/04 08:01:18 06/08/04 18:01:18
krbtgt/MTLW2KTEST.MONTREAL.HCL.COM at MTLW2KTEST.MONTREAL.HCL.COM
renew until 06/15/04 08:01:18, Etype (skey, tkt): ArcFour with HMAC/md5,
ArcFour with HMAC/md5
06/08/04 12:04:48 06/08/04 18:01:18
host/ultra.mtlw2ktest.montreal.hcl.com at MTLW2KTEST.MONTREAL.HCL.COM
renew until 06/15/04 08:01:18, Etype (skey, tkt): DES cbc mode with
RSA-MD5, DES cbc mode with RSA-MD5
06/08/04 12:05:47 06/08/04 18:01:18
ftp/ultra.mtlw2ktest.montreal.hcl.com at MTLW2KTEST.MONTREAL.HCL.COM
renew until 06/15/04 08:01:18, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32
Kerberos 4 ticket cache: API:krb4cc

On my FTP client, I tried using either 'host' or 'ftp' as the GSS
Service Name and still get the same error.

What could be the problem?

TIA,

Pierre Goyette


________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list