kerberized FTP service w/ Mac OS 10.4 server

Markus Moeller huaraz at moeller.plus.com
Wed Jun 6 16:51:45 EDT 2007


Luke,

when using kerberised ftp the client will try first ftp ftp/fqdn principal 
if that fails it uses the host principal. This is what you see in your 
cache. Or original problem is related to "Incorrect channel bindings were 
supplied" which usually means you are using address translation somewhere 
between he client and server.  Depending on the server yiu can 
enable/disable that feature.

Regards
Markus


"Luke Brannon" <brannon at gseis.ucla.edu> wrote in message 
news:866813F0-E82E-4CB8-BA85-5F91322342CD at gseis.ucla.edu...
> Some further info...
>
> When I attempt to connect to the server via Fetch 5.2 or Filezilla I
> am granted two tickets (see below).  The error I'm getting is: Wrong
> principal in request.  I'm not able to see which principle Fetch or
> Filezilla is sending.  Unfortunately the server's kdc.log has no info
> in it.
>
> Principal: username at KDC.DOMAIN.COM
> Service: ftp/fqhn.com at KDC.DOMAIN.COM
> Version: Kerberos V5
> Status: Valid
>
> Flags:
> Forwardable: Yes
> Forwarded: No
> Proxiable: Yes
> Proxied: No
> Postdatable: No
> Postdated: No
> Invalid: No
> Renewable: Y es
> Initial: No
> Preauthenticated: Yes
> Hardware Auththenticated: No
> Is S-key: No
>
> IP Addresses: None
>
> #####
>
> Principal: username at KDC.DOMAIN.COM
> Service: host/fqhn.com at KDC.DOMAIN.COM
> Version: Kerberos V5
> Status: Valid
>
> Flags:
> Forwardable: Yes
> Forwarded: No
> Proxiable: Yes
> Proxied: No
> Postdatable: No
> Postdated: No
> Invalid: No
> Renewable: Y es
> Initial: No
> Preauthenticated: Yes
> Hardware Auththenticated: No
> Is S-key: No
>
> IP Addresses: None
>
> Regards,
>
> Luke
>
> On May 25, 2007, at 4:28 PM, Luke Brannon wrote:
>
>> Trying to set up FTP on Mac OS 10.4 server using Kerb for
>> authentication.  I've attempted client connections using Fetch v5.2
>> on the Mac (using GSSAPI) as well as with Filezilla (using GSSAPI)
>> and in both cases I am granted a host and ftp ticket, but I get the
>> error:
>>
>> AUTH GSSAPI
>> 334 Send authorization data.
>> gss_send_tok_buff = ftp at FQHN.com
>> ADAT
>> 535-GSSAPI error major: Incorrect channel bindings were supplied
>> 535-GSSAPI error minor: No error
>> 535 GSSAPI error: accepting context [ Incorrect channel bindings
>> were supplied - No error ]
>> release 2
>> service 0gss_send_tok_buff = host at FQHN.com
>> ADAT
>> 535-GSSAPI error major: Miscellaneous failure
>> 535-GSSAPI error minor: Wrong principal in request
>> 535 GSSAPI error: accepting context [ Miscellaneous failure - Wrong
>> principal in request ]
>> release 2
>> service 1
>>
>> I'm not sure if this is a server-side or client-side issue.  All
>> other kerberized services on the server are working fine (both AFP
>> and mail).  Server logs show the user successfully authenticating.
>> Is there any additional configuration needed on the server end?  My
>> queries against Apple's support docs haven't turned anything up,
>> nor has google.
>>
>> Regards,
>>
>> Luke
>>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






More information about the Kerberos mailing list