Generic question regarding service principal required to access a kerberized ftp server

Elia Pinto gitter.spiros at gmail.com
Fri Apr 9 11:44:08 EDT 2010


Hi to all

I'm trying to do a ftp logon from a linux client (RHEL 5.4)
authenticated via kerberos to an AD (Active Directory) domain to a KDC
MVS RACF (SAF mode and nokeytab) in cross-domain realm trust with the
AD.

The ftp client I'm using is which is distributed by kerberos MIT on
RHEL (krb-workstation 1.6.1-36 rpm).

I can get a TGS ftp /<KDC MVS hostname>@< KDC MVS REALMS> but it seems
that the client also requests a TGS host /<KDC MVS hostname>@< KDC MVS
REALMS> but this one is not defined on the KDC MVS and so the ftp
client logon fail.

The question is now if it is really need for a service like ftp to
also have as a principal host/<KDC MVS hostname>@< KDC MVS REALMS>?
RFC 2228 is unclear on this point.

Thanks in advance.



More information about the Kerberos mailing list