kerberized FTP service w/ Mac OS 10.4 server

Luke Brannon brannon at gseis.ucla.edu
Wed Jun 6 14:05:24 EDT 2007 

Some further info...

When I attempt to connect to the server via Fetch 5.2 or Filezilla I  
am granted two tickets (see below).  The error I'm getting is: Wrong  
principal in request.  I'm not able to see which principle Fetch or  
Filezilla is sending.  Unfortunately the server's kdc.log has no info  
in it.

Principal: username at KDC.DOMAIN.COM
Service: ftp/fqhn.com at KDC.DOMAIN.COM
Version: Kerberos V5
Status: Valid

Flags:
Forwardable: Yes
Forwarded: No
Proxiable: Yes
Proxied: No
Postdatable: No
Postdated: No
Invalid: No
Renewable: Y es
Initial: No
Preauthenticated: Yes
Hardware Auththenticated: No
Is S-key: No

IP Addresses: None

#####

Principal: username at KDC.DOMAIN.COM
Service: host/fqhn.com at KDC.DOMAIN.COM
Version: Kerberos V5
Status: Valid

Flags:
Forwardable: Yes
Forwarded: No
Proxiable: Yes
Proxied: No
Postdatable: No
Postdated: No
Invalid: No
Renewable: Y es
Initial: No
Preauthenticated: Yes
Hardware Auththenticated: No
Is S-key: No

IP Addresses: None

Regards,

Luke

On May 25, 2007, at 4:28 PM, Luke Brannon wrote:

> Trying to set up FTP on Mac OS 10.4 server using Kerb for  
> authentication.  I've attempted client connections using Fetch v5.2  
> on the Mac (using GSSAPI) as well as with Filezilla (using GSSAPI)  
> and in both cases I am granted a host and ftp ticket, but I get the  
> error:
>
> AUTH GSSAPI
> 334 Send authorization data.
> gss_send_tok_buff = ftp at FQHN.com
> ADAT
> 535-GSSAPI error major: Incorrect channel bindings were supplied
> 535-GSSAPI error minor: No error
> 535 GSSAPI error: accepting context [ Incorrect channel bindings  
> were supplied - No error ]
> release 2
> service 0gss_send_tok_buff = host at FQHN.com
> ADAT
> 535-GSSAPI error major: Miscellaneous failure
> 535-GSSAPI error minor: Wrong principal in request
> 535 GSSAPI error: accepting context [ Miscellaneous failure - Wrong  
> principal in request ]
> release 2
> service 1
>
> I'm not sure if this is a server-side or client-side issue.  All  
> other kerberized services on the server are working fine (both AFP  
> and mail).  Server logs show the user successfully authenticating.   
> Is there any additional configuration needed on the server end?  My  
> queries against Apple's support docs haven't turned anything up,  
> nor has google.
>
> Regards,
>
> Luke
>

More information about the Kerberos mailing list