Kerberos5 FTP not working. Neep Help!

Tue Nov 16 19:15:50 EST 2004

Hi Ken and Douglas,

Thanks a lot for answering my question! 

I changed the hostname of my server and client to server.james.com and
client.james.com respetively. The 220 reply shows the FQDN of server :

220 server.james.com FTP server (Version 5.60) ready.

However, I get another error : Key version number for principal in key
table is incorrect. I checked klist -ke and getprinc on
client.james.com(see output below). The KVNO is different for both
ftp/server.james.com and host/server.james.com. I think the reason they
are different is that I added the key for principal
ftp/server.james.com, host/server.james.com on both server and client.
Each time I run ktadd for a principal, the KVNO increases. If I remove
these two keys on the server, I got the same error "GSSAPI error minor:
No principal in keytab matches desired name" again. Should I use "ktadd"
to add these keys to keytab on server.james.com or client.james.com or
both? Could you give me some suggestion what I should try next? ( I
attached some console output below)

===========
Output
===========

[root at client bin]# ./ftp -d -v server.james.com
Connected to server.james.com.
220 server.james.com FTP server (Version 5.60) ready.
---> AUTH GSSAPI
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
Trying to authenticate to <ftp at server.james.com>
calling gss_init_sec_context
---> ADAT
YIICLAYJKoZIhvcSAQICAQBuggIbMIICF6ADAgEFoQMCAQ6iBwMFACAAAACjggErYYIBJzCC
ASOgAwIBBaELGwlKQU1FUy5DT02iIjAgoAMCAQOhGTAXGwNmdHAbEHNlcnZlci5qYW1lcy5j
b22jgeowgeegAwIBF6EDAgEFooHaBIHX43Oby3HLuJ5OZcQzUg59wDWbdGIPt6dbBUJvZkfw
RIlcacv93w1g+fVJzzCC/qgJyKk6Yb9/7ivGjjnF6N0TnUM7yVzl9oImD46dBjO0MQAHlLD/
3EnqI1jvKOuxuCLqKzt7afkJil+gZgPabzS+7KNLuHIeaF7cxRT65N1Y0ddtA35ox5eBJGUX
04rM+y4APqZetwM5TXyNBoQHbuM4NRlyIUmNi8+Y68uTYjSX6T8NJ0IrlmqJurDopeuS/caU
EoHkgU9B4JXkeWFM3kU7cz3nvUrGsh+kgdIwgc+gAwIBEKKBxwSBxEhgQciZuAXU61lYBFd8
zFgrAT3G09KyM5ecwFXnljCwkW2VnUxsDHika9WgOU5tx9ILjwI3TIkOv7YRNdnMJtNhFN8J
qEiGIasR7KY+Ws+U3FS3k77z2yk40tSmHmo21rJfkLUHbakty2nuib4t/6xHhnkidGQktf/e
SETmh11yNaf5oA9nux3uHag741Avj5JlIxObMhIW1+CvCZVSlnDAA6I1TmuiAeTQFX/V+f60
izV1iyD4Qy/RU7Q+tOkFiRLTd3E=
---> AUTH GSSAPI
Trying to authenticate to <host at server.james.com>
calling gss_init_sec_context
---> ADAT
YIICLQYJKoZIhvcSAQICAQBuggIcMIICGKADAgEFoQMCAQ6iBwMFACAAAACjggEsYYIBKDCC
ASSgAwIBBaELGwlKQU1FUy5DT02iIzAhoAMCAQOhGjAYGwRob3N0GxBzZXJ2ZXIuamFtZXMu
Y29to4HqMIHnoAMCARehAwIBBaKB2gSB1ylbx1cySCBu+LUIxEK9Lj+pcn1A8/XIM+TgDUbU
uv4baZb7gXTiDJnT+dlZwYeQaui8DjZcaMafHlao1U51jQP4la+fJJWusrOk2zg6ppEtiWbY
K7+8KgYqqlbXXB3Gu5Hm9mW2CdhXJWr45gpE1ZPfyvCsWhOgwK3HYsyLGMGZ8F7qwhKka7MH
2I3sTgfxSsdFoZQdQA1A0l4UCnRS//jRJXWgJBBenSy7mOQ3pIin+JFg+KglrDQl3+9sHec7
PVzmXYEu9AtZ1jo/guncD2yavVSwdmdlpIHSMIHPoAMCARCigccEgcTAKXCd/Wr9ym8K23Ss
SyIe87Hr73eiXbGxWUEC6sewaWcCkLkLPEk0eeFcz3cbtgBjOyl42M3pzf28c7YZ2CIgztzG
voQscOZHL9TsjmwYf6zUYrwytZF9V8Q7kaCZ2iKzFKr6s72fQbb1kFcxjrs7FMXf9xgOvH6R
lp7X8Y5GyylkJJbeDeF4dOelndsVq/YwJCPdwLs/lJ9BTc4SHdoxnpffNOy8Q6ZSYOIwIz6/
s60pkBKqai0rxqW9Izfx5oq0/Krr
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: Key version number for principal in key table is
incorrect
GSSAPI error: accepting context
GSSAPI ADAT failed
---> AUTH GSSAPI
GSSAPI authentication failed
---> AUTH KERBEROS_V4
KERBEROS_V4 accepted as authentication type
Kerberos V4 krb_mk_req failed: You have no tickets cached
Name (server.james.com:root):

[root at client bin]# ./klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
------------------------------------------------------------------------
--
   9 ftp/server.james.com at JAMES.COM (etype 23)
   9 ftp/server.james.com at JAMES.COM (DES with HMAC/sha1)
   9 ftp/server.james.com at JAMES.COM (Triple DES cbc mode with HMAC/sha1)
   9 ftp/server.james.com at JAMES.COM (DES cbc mode with RSA-MD5)
   5 host/server.james.com at JAMES.COM (etype 23)
   5 host/server.james.com at JAMES.COM (Triple DES cbc mode with
HMAC/sha1)
   5 host/server.james.com at JAMES.COM (DES with HMAC/sha1)
   5 host/server.james.com at JAMES.COM (DES cbc mode with RSA-MD5)
   5 root/client.james.com at JAMES.COM (etype 23)
   5 root/client.james.com at JAMES.COM (DES with HMAC/sha1)
   5 root/client.james.com at JAMES.COM (Triple DES cbc mode with
HMAC/sha1)
   5 root/client.james.com at JAMES.COM (DES cbc mode with RSA-MD5)

kadmin:  getprinc ftp/server.james.com
Principal: ftp/server.james.com at JAMES.COM
Expiration date: [never]
Last password change: Tue Nov 16 15:50:02 PST 2004
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Tue Nov 16 15:50:02 PST 2004 (root/admin at JAMES.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 11, <Encryption type 0x17>, no salt
Key: vno 11, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 11, DES with HMAC/sha1, no salt
Key: vno 11, DES cbc mode with RSA-MD5, no salt
Attributes:
Policy: [none]

kadmin:  getprinc host/server.james.com
Principal: host/server.james.com at JAMES.COM
Expiration date: [never]
Last password change: Tue Nov 16 15:49:54 PST 2004
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Tue Nov 16 15:49:54 PST 2004 (root/admin at JAMES.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 7, <Encryption type 0x17>, no salt
Key: vno 7, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 7, DES with HMAC/sha1, no salt
Key: vno 7, DES cbc mode with RSA-MD5, no salt
Attributes:
Policy: [none]
kadmin:

Thanks a lot!
James

-----Original Message-----
From: Ken Raeburn [mailto:raeburn at MIT.EDU]
Sent: Tuesday, November 16, 2004 3:34 PM
To: James Chen
Cc: Ken Raeburn; kerberos at MIT.EDU
Subject: Re: Kerberos5 FTP not working. Neep Help!

Yes, with the hostname set to server.james.com, that looks better.
Does the ftp server work properly now?

Ken