Kerberos5 FTP not working. Neep Help!

James Chen Chenj at
Tue Nov 16 20:24:35 EST 2004

I removed the key on the client, run kinit again and now FTP is working

Thank you very much for your help, Ken and Douglas!

Warmest Regards,

-----Original Message-----
From: Ken Raeburn [mailto:raeburn at MIT.EDU]
Sent: Tuesday, November 16, 2004 4:22 PM
To: James Chen
Cc: Ken Raeburn; Douglas E. Engert; kerberos at MIT.EDU
Subject: Re: Kerberos5 FTP not working. Neep Help!

On Nov 16, 2004, at 19:15, James Chen wrote:
> Hi Ken and Douglas,
> Thanks a lot for answering my question!
> I changed the hostname of my server and client to and
> respetively. The 220 reply shows the FQDN of server :
> 220 FTP server (Version 5.60) ready.
> However, I get another error : Key version number for principal in key
> table is incorrect. I checked klist -ke and getprinc on
> output below). The KVNO is different for both
> ftp/ and host/ I think the reason
> are different is that I added the key for principal
> ftp/, host/ on both server and client.

You don't need the key for the server on the client system.

> Each time I run ktadd for a principal, the KVNO increases. If I remove
> these two keys on the server, I got the same error "GSSAPI error
> No principal in keytab matches desired name" again. Should I use 
> "ktadd"
> to add these keys to keytab on or or
> both? Could you give me some suggestion what I should try next? ( I
> attached some console output below)

Yes, re-adding the key on the server will update the version again, and 
the keytab should then be consistent with the database.  Note that if 
your ticket file on the client already has a ticket for the service, 
it'll have no way of knowing that it's out of date, so you should run 
kinit again.


More information about the Kerberos mailing list