Kerberos5 FTP not working. Neep Help!
James Chen
Chenj at juniper.net
Mon Nov 15 20:13:22 EST 2004
Greetings,
I am trying to set up Kerberos FTP server and client for an urgent task. The FTP server and KDC are on the same host. The client is on another host. I followed all the configuration steps. The client got all the tickets(TGT, ftp, host). But when I tried to ftp, I got this error saying "GSSAPI error minor: No principal in keytab matches desired name"( See the debug below ). I searched the email before. Someone suggested it is related to /etc/hosts config. I am not sure what should be the correct config though. I attached the /etc/hosts files on client and server below. Could anyone help to see if anything is missing? I also attached all the Kerberos related config on client and server below(/etc/hosts, klist -e -k, listprincs, krb5.conf, kdc.conf).
Thanks a million!!
James
[root at rh9 bin]# ./ftp -d -v server.james.com
Connected to server.james.com.
220 localhost.localdomain FTP server (Version 5.60) ready.
---> AUTH GSSAPI
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
Trying to authenticate to <ftp at server.james.com>
calling gss_init_sec_context
---> ADAT YIICMQYJKoZIhvcSAQICAQBuggIgMIICHKADAgEFoQMCAQ6iBwMFACAAAACjggEwYYIBLDCCASigAwIBBaELGwlKQU1FUy5DT02iIjAgoAMCAQOhGTAXGwNmdHAbEHNlcnZlci5qYW1lcy5jb22jge8wgeygAwIBEKEDAgEBooHfBIHcVmmYo+qMAPb77tTAeb3Qn0/sFkLJlBBazyIR1Uzl7uHFUwbD6ypSCLX7ZIXObQ0kOByJ8KwYBQEL6J3MaZoM8rQtYwHuCpCmXxjhnnaXsXl9RjY/+zxo0+O3xEusr3rgUNnZRgbaUScqCaO28iqtWAvyazTF/YcrjBIDaKD63EZYR0SF0mpbSastm24OA0uLuCAZDkLB1C9nvJHBSD76IkmQatefO/G6iZSsR8PNF8HfZ5VL8djmLS1LQTuEBzr4jms3w3obHigiN12bvO+G5g010EtQB5UUg9jRxaSB0jCBz6ADAgEQooHHBIHEJcjhTN732CAruDNe3t5+kTPndLBcOS0jcZ3nsSDahu1KRwQ4gEVod6VWjH9Mnw/rHZy6QL/jfhyFs2/BTpJAJYqoAPYoiyU7y0h6zGACMbmOsRCa+hnyO6CotUyGn0FYs/YHDR/awYBJcm6C/AMHqsnmQ99cr2Q7MaSYAcj6ek5nGl+BVC+hm1kADtylZ/XiIy/1oQMt+j6s+MK4NPnblH6hFX00h68xO7MI1SNBv4y3O7hiRvWAecUiISIcS+7qbSdnpQ==
---> AUTH GSSAPI
Trying to authenticate to <host at server.james.com>
calling gss_init_sec_context
---> ADAT YIICMgYJKoZIhvcSAQICAQBuggIhMIICHaADAgEFoQMCAQ6iBwMFACAAAACjggExYYIBLTCCASmgAwIBBaELGwlKQU1FUy5DT02iIzAhoAMCAQOhGjAYGwRob3N0GxBzZXJ2ZXIuamFtZXMuY29to4HvMIHsoAMCARChAwIBAaKB3wSB3CmC7PkYF1KoyIgBR4Rle4lpyzIRzHvDL0MpMEL2pAwHbVasOqSGsozaKZvCPwBHIAEUfGaaYKHNy6iBBXEYFvCBk0uHrEapCJuChpgCNEt5wXAjf/Fl3ihwy74R7FPJY+0TSVTriIPR19TuYcLH+d0Wdo8mEcTg5excHK3E6y5HP6zmbUNf40m6bu9tZTIKpoh3WS1zn61iFIzxy9kH3V1wgi0LCbbFXWe1giVilG8dQdRIcKyHLmDvVs9B+KMEpztwg+XWK2wm1e9f+8B6GmRzdUjiokg+kPPs+5WkgdIwgc+gAwIBEKKBxwSBxHy3Q6Q4RuSnLWd14cz1J14HD4wbiZpp25Ik01vaqSasgEQP3BPkcOtEzYVn9ytYa1Ey54hMYIBsUrCOxBLUi1SkH4BWwnTrL5kdhvH1CO8PMHa9X7CEcqhouQ3Tm9Ziiz0K8VY0hfB0cpDIpJo4L37iQUE5+07ZAl4Jwri2BiU8EB3mlAIU+F3UI6uwKEVk1iaj+cNX3bHa6RgOYMBFP3TLLvAeR2+oW3QJSolIYkddctdWjBF5/Iy2cb1B0Zu5NOqwTzM=
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: No principal in keytab matches desired name
GSSAPI error: acquiring credentials
GSSAPI ADAT failed
---> AUTH GSSAPI
GSSAPI authentication failed
---> AUTH KERBEROS_V4
KERBEROS_V4 accepted as authentication type
Kerberos V4 krb_mk_req failed: You have no tickets cached
Name (server.james.com:root):
=============================
Server Config
=============================
==========
/etc/hosts
==========
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
192.168.1.1 server.james.com server1
10.150.41.73 client.james.com client1
==========
klist -k
==========
[root at localhost xinetd.d]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/server.james.com at JAMES.COM
3 host/client.james.com at JAMES.COM
3 host/server.james.com at JAMES.COM
2 root/client.james.com at JAMES.COM
2 root/server.james.com at JAMES.COM
3 ftp/server.james.com at JAMES.COM
3 host/client.james.com at JAMES.COM
2 root/client.james.com at JAMES.COM
2 root/server.james.com at JAMES.COM
3 ftp/server.james.com at JAMES.COM
==========
klist -e
==========
[root at localhost xinetd.d]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/server.james.com at JAMES.COM
Valid starting Expires Service principal
11/15/04 14:29:53 11/16/04 14:29:53 krbtgt/JAMES.COM at JAMES.COM
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
===========
listprincs
===========
kadmin: listprincs
K/M at JAMES.COM
ftp/server.james.com at JAMES.COM
host/client.james.com at JAMES.COM
host/server.james.com at JAMES.COM
kadmin/admin at JAMES.COM
kadmin/changepw at JAMES.COM
kadmin/history at JAMES.COM
krbtgt/JAMES.COM at JAMES.COM
root/admin at JAMES.COM
root/client.james.com at JAMES.COM
root/server.james.com at JAMES.COM
==============
/etc/krb5.conf
==============
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = JAMES.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
JAMES.COM = {
kdc = server.james.com:88
admin_server = server.james.com:749
default_domain = james.com
}
[domain_realm]
.james.com = JAMES.COM
james.com = JAMES.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
~
==============================
/var/kerberos/krb5kdc/kdc.conf
==============================
[kdcdefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = nopreauth
[realms]
JAMES.COM = {
master_key_type = des-cbc-crc
supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm des3-hmac-sha1:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
=============================
Client Config
=============================
==========
/etc/hosts
==========
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 rh9 localhost.localdomain localhost
10.150.41.73 client.james.com
192.168.1.1 server.james.com
==========
klist -e
==========
[root at rh9 bin]# ./klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/client.james.com at JAMES.COM
Valid starting Expires Service principal
11/15/04 12:29:30 11/15/04 22:29:09 krbtgt/JAMES.COM at JAMES.COM
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
11/15/04 12:47:34 11/15/04 22:29:09 host/server.james.com at JAMES.COM
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
11/15/04 14:20:59 11/15/04 22:29:09 ftp/server.james.com at JAMES.COM
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
==========
klist -k
==========
[root at rh9 bin]# ./klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 root/client.james.com at JAMES.COM
3 root/client.james.com at JAMES.COM
3 root/server.james.com at JAMES.COM
3 root/server.james.com at JAMES.COM
4 host/client.james.com at JAMES.COM
4 ftp/server.james.com at JAMES.COM
4 host/client.james.com at JAMES.COM
4 host/server.james.com at JAMES.COM
4 ftp/server.james.com at JAMES.COM
4 host/server.james.com at JAMES.COM
[root at rh9 bin]#
==============
/etc/krb5.conf
==============
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = JAMES.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
JAMES.COM = {
kdc = server.james.com:88
admin_server = server.james.com:749
default_domain = james.com
}
[domain_realm]
.james.com = JAMES.COM
james.com = JAMES.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
More information about the Kerberos
mailing list