Kerberos5 FTP not working. Neep Help!

James Chen Chenj at juniper.net
Tue Nov 16 19:15:50 EST 2004


Hi Ken and Douglas,

Thanks a lot for answering my question! 

I changed the hostname of my server and client to server.james.com and
client.james.com respetively. The 220 reply shows the FQDN of server :

220 server.james.com FTP server (Version 5.60) ready.

However, I get another error : Key version number for principal in key
table is incorrect. I checked klist -ke and getprinc on
client.james.com(see output below). The KVNO is different for both
ftp/server.james.com and host/server.james.com. I think the reason they
are different is that I added the key for principal
ftp/server.james.com, host/server.james.com on both server and client.
Each time I run ktadd for a principal, the KVNO increases. If I remove
these two keys on the server, I got the same error "GSSAPI error minor:
No principal in keytab matches desired name" again. Should I use "ktadd"
to add these keys to keytab on server.james.com or client.james.com or
both? Could you give me some suggestion what I should try next? ( I
attached some console output below)

===========
Output
===========

[root at client bin]# ./ftp -d -v server.james.com
Connected to server.james.com.
220 server.james.com FTP server (Version 5.60) ready.
---> AUTH GSSAPI
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
Trying to authenticate to <ftp at server.james.com>
calling gss_init_sec_context
---> ADAT
YIICLAYJKoZIhvcSAQICAQBuggIbMIICF6ADAgEFoQMCAQ6iBwMFACAAAACjggErYYIBJzCC
ASOgAwIBBaELGwlKQU1FUy5DT02iIjAgoAMCAQOhGTAXGwNmdHAbEHNlcnZlci5qYW1lcy5j
b22jgeowgeegAwIBF6EDAgEFooHaBIHX43Oby3HLuJ5OZcQzUg59wDWbdGIPt6dbBUJvZkfw
RIlcacv93w1g+fVJzzCC/qgJyKk6Yb9/7ivGjjnF6N0TnUM7yVzl9oImD46dBjO0MQAHlLD/
3EnqI1jvKOuxuCLqKzt7afkJil+gZgPabzS+7KNLuHIeaF7cxRT65N1Y0ddtA35ox5eBJGUX
04rM+y4APqZetwM5TXyNBoQHbuM4NRlyIUmNi8+Y68uTYjSX6T8NJ0IrlmqJurDopeuS/caU
EoHkgU9B4JXkeWFM3kU7cz3nvUrGsh+kgdIwgc+gAwIBEKKBxwSBxEhgQciZuAXU61lYBFd8
zFgrAT3G09KyM5ecwFXnljCwkW2VnUxsDHika9WgOU5tx9ILjwI3TIkOv7YRNdnMJtNhFN8J
qEiGIasR7KY+Ws+U3FS3k77z2yk40tSmHmo21rJfkLUHbakty2nuib4t/6xHhnkidGQktf/e
SETmh11yNaf5oA9nux3uHag741Avj5JlIxObMhIW1+CvCZVSlnDAA6I1TmuiAeTQFX/V+f60
izV1iyD4Qy/RU7Q+tOkFiRLTd3E=
---> AUTH GSSAPI
Trying to authenticate to <host at server.james.com>
calling gss_init_sec_context
---> ADAT
YIICLQYJKoZIhvcSAQICAQBuggIcMIICGKADAgEFoQMCAQ6iBwMFACAAAACjggEsYYIBKDCC
ASSgAwIBBaELGwlKQU1FUy5DT02iIzAhoAMCAQOhGjAYGwRob3N0GxBzZXJ2ZXIuamFtZXMu
Y29to4HqMIHnoAMCARehAwIBBaKB2gSB1ylbx1cySCBu+LUIxEK9Lj+pcn1A8/XIM+TgDUbU
uv4baZb7gXTiDJnT+dlZwYeQaui8DjZcaMafHlao1U51jQP4la+fJJWusrOk2zg6ppEtiWbY
K7+8KgYqqlbXXB3Gu5Hm9mW2CdhXJWr45gpE1ZPfyvCsWhOgwK3HYsyLGMGZ8F7qwhKka7MH
2I3sTgfxSsdFoZQdQA1A0l4UCnRS//jRJXWgJBBenSy7mOQ3pIin+JFg+KglrDQl3+9sHec7
PVzmXYEu9AtZ1jo/guncD2yavVSwdmdlpIHSMIHPoAMCARCigccEgcTAKXCd/Wr9ym8K23Ss
SyIe87Hr73eiXbGxWUEC6sewaWcCkLkLPEk0eeFcz3cbtgBjOyl42M3pzf28c7YZ2CIgztzG
voQscOZHL9TsjmwYf6zUYrwytZF9V8Q7kaCZ2iKzFKr6s72fQbb1kFcxjrs7FMXf9xgOvH6R
lp7X8Y5GyylkJJbeDeF4dOelndsVq/YwJCPdwLs/lJ9BTc4SHdoxnpffNOy8Q6ZSYOIwIz6/
s60pkBKqai0rxqW9Izfx5oq0/Krr
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: Key version number for principal in key table is
incorrect
GSSAPI error: accepting context
GSSAPI ADAT failed
---> AUTH GSSAPI
GSSAPI authentication failed
---> AUTH KERBEROS_V4
KERBEROS_V4 accepted as authentication type
Kerberos V4 krb_mk_req failed: You have no tickets cached
Name (server.james.com:root):



[root at client bin]# ./klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
------------------------------------------------------------------------
--
   9 ftp/server.james.com at JAMES.COM (etype 23)
   9 ftp/server.james.com at JAMES.COM (DES with HMAC/sha1)
   9 ftp/server.james.com at JAMES.COM (Triple DES cbc mode with HMAC/sha1)
   9 ftp/server.james.com at JAMES.COM (DES cbc mode with RSA-MD5)
   5 host/server.james.com at JAMES.COM (etype 23)
   5 host/server.james.com at JAMES.COM (Triple DES cbc mode with
HMAC/sha1)
   5 host/server.james.com at JAMES.COM (DES with HMAC/sha1)
   5 host/server.james.com at JAMES.COM (DES cbc mode with RSA-MD5)
   5 root/client.james.com at JAMES.COM (etype 23)
   5 root/client.james.com at JAMES.COM (DES with HMAC/sha1)
   5 root/client.james.com at JAMES.COM (Triple DES cbc mode with
HMAC/sha1)
   5 root/client.james.com at JAMES.COM (DES cbc mode with RSA-MD5)


kadmin:  getprinc ftp/server.james.com
Principal: ftp/server.james.com at JAMES.COM
Expiration date: [never]
Last password change: Tue Nov 16 15:50:02 PST 2004
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Tue Nov 16 15:50:02 PST 2004 (root/admin at JAMES.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 11, <Encryption type 0x17>, no salt
Key: vno 11, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 11, DES with HMAC/sha1, no salt
Key: vno 11, DES cbc mode with RSA-MD5, no salt
Attributes:
Policy: [none]


kadmin:  getprinc host/server.james.com
Principal: host/server.james.com at JAMES.COM
Expiration date: [never]
Last password change: Tue Nov 16 15:49:54 PST 2004
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Tue Nov 16 15:49:54 PST 2004 (root/admin at JAMES.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 7, <Encryption type 0x17>, no salt
Key: vno 7, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 7, DES with HMAC/sha1, no salt
Key: vno 7, DES cbc mode with RSA-MD5, no salt
Attributes:
Policy: [none]
kadmin:


Thanks a lot!
James


-----Original Message-----
From: Ken Raeburn [mailto:raeburn at MIT.EDU]
Sent: Tuesday, November 16, 2004 3:34 PM
To: James Chen
Cc: Ken Raeburn; kerberos at MIT.EDU
Subject: Re: Kerberos5 FTP not working. Neep Help!


Yes, with the hostname set to server.james.com, that looks better.
Does the ftp server work properly now?

Ken




More information about the Kerberos mailing list