Kerberos5 FTP not working. Neep Help!
Chenj at juniper.net
Tue Nov 16 20:24:35 EST 2004
I removed the key on the client, run kinit again and now FTP is working
Thank you very much for your help, Ken and Douglas!
From: Ken Raeburn [mailto:raeburn at MIT.EDU]
Sent: Tuesday, November 16, 2004 4:22 PM
To: James Chen
Cc: Ken Raeburn; Douglas E. Engert; kerberos at MIT.EDU
Subject: Re: Kerberos5 FTP not working. Neep Help!
On Nov 16, 2004, at 19:15, James Chen wrote:
> Hi Ken and Douglas,
> Thanks a lot for answering my question!
> I changed the hostname of my server and client to server.james.com and
> client.james.com respetively. The 220 reply shows the FQDN of server :
> 220 server.james.com FTP server (Version 5.60) ready.
> However, I get another error : Key version number for principal in key
> table is incorrect. I checked klist -ke and getprinc on
> client.james.com(see output below). The KVNO is different for both
> ftp/server.james.com and host/server.james.com. I think the reason
> are different is that I added the key for principal
> ftp/server.james.com, host/server.james.com on both server and client.
You don't need the key for the server on the client system.
> Each time I run ktadd for a principal, the KVNO increases. If I remove
> these two keys on the server, I got the same error "GSSAPI error
> No principal in keytab matches desired name" again. Should I use
> to add these keys to keytab on server.james.com or client.james.com or
> both? Could you give me some suggestion what I should try next? ( I
> attached some console output below)
Yes, re-adding the key on the server will update the version again, and
the keytab should then be consistent with the database. Note that if
your ticket file on the client already has a ticket for the service,
it'll have no way of knowing that it's out of date, so you should run
More information about the Kerberos