ftp GSSAPI messages

peter sands peter_sands at techemail.com
Tue Oct 13 11:12:15 EDT 2009


> Trace the ftp server and look for ENOENT errors.  I bet you'll find that
> either the krb5.conf file or the krb5.keytab file are missing.
>
> Nico
> --

Thanks, you're right I had the keytab but with wrong filename.

Now I get another error :
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: Wrong principal in request
GSSAPI error: accepting context

If I run in debug mode it first tries the ftp principal , fails with
the gssapi error, then falls back to the host principal and connects.
All looks good with the DNS and /etc/hosts, which seems to be the main
problem with this error.

The main kdc logs show a ticket for the host principal eng01 , instead
of ftp/eng01,:
Oct 13 15:35:02 elec01 /usr/krb5/sbin/krb5kdc[508042](info): AS_REQ (5
etyp
es {16 23 18 3 1}) 172.22.11.114(88): ISSUE: authtime 1255444502,
etypes {rep=16
 tkt=16 ses=16}, host/eng01.mydomain.com at MYDOMAIN.COM for kadmin/
admin at MYDOMAIN.COM


$ ftp -d eng01.mydomain.com
Connected to eng01.mydomain.com.
220 syg04 FTP server (Version 4.2 Fri Mar 13 12:08:31 CDT 2009) ready.
---> AUTH GSSAPI
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
Trying to authenticate to <ftp at eng01.mydomain.com>
calling gss_init_sec_context
---> ADAT
YIICIAYJKoZIhvcSAQICAQBuggIPMIICC6ADAgEFoQMCAQ6iBwMFACAAAACjggEnYYIBIz
CCAR+gAwIBBaEMGwpBQ0VJTlMuQ09NoigwJqADAgEDoR8w
........
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: Wrong principal in request
GSSAPI error: accepting context
ADAT command failed
Trying to authenticate to <host at eng01.mydomain.com>
calling gss_init_sec_context
---> ADAT YIICIQYJKoZIhvcSAQICAQBuggIQMIICDKADAgEFoQMCA
calling gss_init_sec_context
Name (eng01.mydomain.com:psands):
ftp>


Any help please
thanks
Pete.




More information about the Kerberos mailing list