FTP - GSSAPI Error acquiring credentials

Pierre Goyette pierre at montreal.hcl.com
Tue Jun 8 15:33:43 EDT 2004 

Donn,

Although my DNS is properly configured, I just discovered that I need an
entry in my /etc/hosts of the form:

	Ipaddress	fqdns		shortname

Example:

	10.4.1.243	ultra.mtlw2ktest.montreal.hcl.com	ultra 

I don't understand why but someone suggested this and that was the
trick.

Thanks,

Pierre

-----Original Message-----
From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
Behalf Of Donn Cave
Sent: Tuesday, June 08, 2004 1:57 PM
To: kerberos at MIT.EDU
Subject: Re: FTP - GSSAPI Error acquiring credentials

In article
<88C8B14D74194F409F0E4AEC20DF2284074CB5 at MTLFS1.montreal.hcl.com>,
 pierre at montreal.hcl.com ("Pierre Goyette") wrote:
> I have a Solaris box with MIT Kerberos 1.3.3 installed as an 
> application server which is part of a Windows 2000 KDC.
>  
> I can perform a kerberized telnet to the box perfectly. However, I 
> cannot ftp to the box.
...
> A Ethereal trace shows the client receiving a 501-GSSAPI error minor: 
> no principal in keytab matches desired name.
...
> On my client, I properly acquire all the right tickets, klist -e
shows:
>  
> Ticket cache: API:krb5cc
> Default principal: pierre at MTLW2KTEST.MONTREAL.HCL.COM
> Valid starting Expires Service principal
> 06/08/04 08:01:18 06/08/04 18:01:18
> krbtgt/MTLW2KTEST.MONTREAL.HCL.COM at MTLW2KTEST.MONTREAL.HCL.COM
> renew until 06/15/04 08:01:18, Etype (skey, tkt): ArcFour with 
> HMAC/md5, ArcFour with HMAC/md5
> 06/08/04 12:04:48 06/08/04 18:01:18
> host/ultra.mtlw2ktest.montreal.hcl.com at MTLW2KTEST.MONTREAL.HCL.COM
> renew until 06/15/04 08:01:18, Etype (skey, tkt): DES cbc mode with 
> RSA-MD5, DES cbc mode with RSA-MD5
> 06/08/04 12:05:47 06/08/04 18:01:18
> ftp/ultra.mtlw2ktest.montreal.hcl.com at MTLW2KTEST.MONTREAL.HCL.COM
> renew until 06/15/04 08:01:18, Etype (skey, tkt): DES cbc mode with 
> CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: API:krb4cc

I see your ftp service ticket's encryption is different from the host
service ticket.  If you could, as root, try

 $ klist -k -e

does the ftp key's encryption type match your service ticket?

   Donn Cave, donn at u.washington.edu
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list