Kerberos5 FTP not working. Neep Help!

Douglas E. Engert deengert at anl.gov
Tue Nov 16 10:38:38 EST 2004



James Chen wrote:
> Greetings,
> 
> I am trying to set up Kerberos FTP server and client for an urgent task. The FTP server and KDC are on the same host. The client is on another host. I followed all the configuration steps. The client got all the tickets(TGT, ftp, host). But when I tried to ftp, I got this error saying "GSSAPI error minor: No principal in keytab matches desired name"( See the debug below ). I searched the email before. Someone suggested it is related to /etc/hosts config. I am not sure what should be the correct config though. I attached the /etc/hosts files on client and server below.  Could anyone help to see if anything is missing? I also attached all the Kerberos related config on client and server below(/etc/hosts, klist -e -k, listprincs, krb5.conf, kdc.conf).
> 
> Thanks a million!!
> James
> 
> [root at rh9 bin]# ./ftp -d -v server.james.com
> Connected to server.james.com.
> 220 localhost.localdomain FTP server (Version 5.60) ready.

The above line should have the FQDN of the host, not localhost.localdomain.
Try "man hostname" to see how to set the hostname.
Somehow it is assuming the loopback adapter address represents the hostname

> ---> AUTH GSSAPI
> 334 Using authentication type GSSAPI; ADAT must follow
> GSSAPI accepted as authentication type
> Trying to authenticate to <ftp at server.james.com>
> calling gss_init_sec_context
> ---> ADAT YIICMQYJKoZIhvcSAQICAQBuggIgMIICHKADAgEFoQMCAQ6iBwMFACAAAACjggEwYYIBLDCCASigAwIBBaELGwlKQU1FUy5DT02iIjAgoAMCAQOhGTAXGwNmdHAbEHNlcnZlci5qYW1lcy5jb22jge8wgeygAwIBEKEDAgEBooHfBIHcVmmYo+qMAPb77tTAeb3Qn0/sFkLJlBBazyIR1Uzl7uHFUwbD6ypSCLX7ZIXObQ0kOByJ8KwYBQEL6J3MaZoM8rQtYwHuCpCmXxjhnnaXsXl9RjY/+zxo0+O3xEusr3rgUNnZRgbaUScqCaO28iqtWAvyazTF/YcrjBIDaKD63EZYR0SF0mpbSastm24OA0uLuCAZDkLB1C9nvJHBSD76IkmQatefO/G6iZSsR8PNF8HfZ5VL8djmLS1LQTuEBzr4jms3w3obHigiN12bvO+G5g010EtQB5UUg9jRxaSB0jCBz6ADAgEQooHHBIHEJcjhTN732CAruDNe3t5+kTPndLBcOS0jcZ3nsSDahu1KRwQ4gEVod6VWjH9Mnw/rHZy6QL/jfhyFs2/BTpJAJYqoAPYoiyU7y0h6zGACMbmOsRCa+hnyO6CotUyGn0FYs/YHDR/awYBJcm6C/AMHqsnmQ99cr2Q7MaSYAcj6ek5nGl+BVC+hm1kADtylZ/XiIy/1oQMt+j6s+MK4NPnblH6hFX00h68xO7MI1SNBv4y3O7hiRvWAecUiISIcS+7qbSdnpQ==
> ---> AUTH GSSAPI
> Trying to authenticate to <host at server.james.com>
> calling gss_init_sec_context
> ---> ADAT YIICMgYJKoZIhvcSAQICAQBuggIhMIICHaADAgEFoQMCAQ6iBwMFACAAAACjggExYYIBLTCCASmgAwIBBaELGwlKQU1FUy5DT02iIzAhoAMCAQOhGjAYGwRob3N0GxBzZXJ2ZXIuamFtZXMuY29to4HvMIHsoAMCARChAwIBAaKB3wSB3CmC7PkYF1KoyIgBR4Rle4lpyzIRzHvDL0MpMEL2pAwHbVasOqSGsozaKZvCPwBHIAEUfGaaYKHNy6iBBXEYFvCBk0uHrEapCJuChpgCNEt5wXAjf/Fl3ihwy74R7FPJY+0TSVTriIPR19TuYcLH+d0Wdo8mEcTg5excHK3E6y5HP6zmbUNf40m6bu9tZTIKpoh3WS1zn61iFIzxy9kH3V1wgi0LCbbFXWe1giVilG8dQdRIcKyHLmDvVs9B+KMEpztwg+XWK2wm1e9f+8B6GmRzdUjiokg+kPPs+5WkgdIwgc+gAwIBEKKBxwSBxHy3Q6Q4RuSnLWd14cz1J14HD4wbiZpp25Ik01vaqSasgEQP3BPkcOtEzYVn9ytYa1Ey54hMYIBsUrCOxBLUi1SkH4BWwnTrL5kdhvH1CO8PMHa9X7CEcqhouQ3Tm9Ziiz0K8VY0hfB0cpDIpJo4L37iQUE5+07ZAl4Jwri2BiU8EB3mlAIU+F3UI6uwKEVk1iaj+cNX3bHa6RgOYMBFP3TLLvAeR2+oW3QJSolIYkddctdWjBF5/Iy2cb1B0Zu5NOqwTzM=
> GSSAPI error major: Miscellaneous failure
> GSSAPI error minor: No principal in keytab matches desired name
> GSSAPI error: acquiring credentials
> GSSAPI ADAT failed
> ---> AUTH GSSAPI
> GSSAPI authentication failed
> ---> AUTH KERBEROS_V4
> KERBEROS_V4 accepted as authentication type
> Kerberos V4 krb_mk_req failed: You have no tickets cached
> Name (server.james.com:root):
> 
> =============================
> Server Config 
> =============================
> ==========
> /etc/hosts
> ==========
> 
> # Do not remove the following line, or various programs
> # that require network functionality will fail.
> 127.0.0.1       localhost.localdomain   localhost
> 192.168.1.1     server.james.com        server1
> 10.150.41.73    client.james.com        client1
> 
> ==========
> klist -k
> ==========
> [root at localhost xinetd.d]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    3 host/server.james.com at JAMES.COM
>    3 host/client.james.com at JAMES.COM
>    3 host/server.james.com at JAMES.COM
>    2 root/client.james.com at JAMES.COM
>    2 root/server.james.com at JAMES.COM
>    3 ftp/server.james.com at JAMES.COM
>    3 host/client.james.com at JAMES.COM
>    2 root/client.james.com at JAMES.COM
>    2 root/server.james.com at JAMES.COM
>    3 ftp/server.james.com at JAMES.COM
> 
> ==========
> klist -e
> ==========
> 
> [root at localhost xinetd.d]# klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: root/server.james.com at JAMES.COM
>  
> Valid starting     Expires            Service principal
> 11/15/04 14:29:53  11/16/04 14:29:53  krbtgt/JAMES.COM at JAMES.COM
>         Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
>  
>  
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> 
> 
> ===========
> listprincs
> ===========
> kadmin:  listprincs
> K/M at JAMES.COM
> ftp/server.james.com at JAMES.COM
> host/client.james.com at JAMES.COM
> host/server.james.com at JAMES.COM
> kadmin/admin at JAMES.COM
> kadmin/changepw at JAMES.COM
> kadmin/history at JAMES.COM
> krbtgt/JAMES.COM at JAMES.COM
> root/admin at JAMES.COM
> root/client.james.com at JAMES.COM
> root/server.james.com at JAMES.COM
> 
> ==============
> /etc/krb5.conf
> ==============
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>                                                                                      
> [libdefaults]
>  default_realm = JAMES.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>                                                                                      
> [realms]
>  JAMES.COM = {
>   kdc = server.james.com:88
>   admin_server = server.james.com:749
>   default_domain = james.com
>  }
>                                                                                      
> [domain_realm]
>  .james.com = JAMES.COM
>  james.com = JAMES.COM
>                                                                                      
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
>                                                                                      
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> ~
> ==============================
> /var/kerberos/krb5kdc/kdc.conf
> ==============================
>                                                                                    
> [kdcdefaults]
>  acl_file = /var/kerberos/krb5kdc/kadm5.acl
>  dict_file = /usr/share/dict/words
>  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>  v4_mode = nopreauth
>                                                                                      
> [realms]
>  JAMES.COM = {
>   master_key_type = des-cbc-crc
>   supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm des3-hmac-sha1:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
>  }
> 
> 
> =============================
> Client Config 
> =============================
> ==========
> /etc/hosts
> ==========
> # Do not remove the following line, or various programs
> # that require network functionality will fail.
> 127.0.0.1               rh9 localhost.localdomain localhost
> 10.150.41.73            client.james.com
> 192.168.1.1             server.james.com
> 
> ==========
> klist -e
> ==========                                                                                      
> [root at rh9 bin]# ./klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: root/client.james.com at JAMES.COM
>  
> Valid starting     Expires            Service principal
> 11/15/04 12:29:30  11/15/04 22:29:09  krbtgt/JAMES.COM at JAMES.COM
>         Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
> 11/15/04 12:47:34  11/15/04 22:29:09  host/server.james.com at JAMES.COM
>         Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
> 11/15/04 14:20:59  11/15/04 22:29:09  ftp/server.james.com at JAMES.COM
>         Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
>  
>  
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> 
> ==========
> klist -k
> ==========                                                                                      
> 
> [root at rh9 bin]# ./klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    3 root/client.james.com at JAMES.COM
>    3 root/client.james.com at JAMES.COM
>    3 root/server.james.com at JAMES.COM
>    3 root/server.james.com at JAMES.COM
>    4 host/client.james.com at JAMES.COM
>    4 ftp/server.james.com at JAMES.COM
>    4 host/client.james.com at JAMES.COM
>    4 host/server.james.com at JAMES.COM
>    4 ftp/server.james.com at JAMES.COM
>    4 host/server.james.com at JAMES.COM
> [root at rh9 bin]#
> 
> ==============
> /etc/krb5.conf
> ==============
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>                                                                                   
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = JAMES.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>                                                                                   
> [realms]
>  JAMES.COM = {
>   kdc = server.james.com:88
>   admin_server = server.james.com:749
>   default_domain = james.com
>  }
>                                                                                   
> [domain_realm]
>  .james.com = JAMES.COM
>  james.com = JAMES.COM
>                                                                                   
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
>                                                                                   
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list