Generic question regarding service principal required to access a kerberized ftp server
Elia Pinto
gitter.spiros at gmail.com
Wed May 12 09:42:41 EDT 2010
2010/4/10 Greg Hudson <ghudson at mit.edu>:
> On Sat, 2010-04-10 at 05:28 -0400, Elia Pinto wrote:
>> I can get a TGS ftp /<KDC MVS hostname>@< KDC MVS REALMS> but it seems
>> that the client also requests a TGS host /<KDC MVS hostname>@< KDC MVS
>> REALMS> but this one is not defined on the KDC MVS and so the ftp
>> client logon fail.
>
> The ftp client tries to authenticate to ftp/hostname, then falls back to
> host/hostname if that fails. So, no, you don't need a host/hostname
> service, but you do have to figure out why the initial authentication is
> failing.
First of all, thanks for the fast replay. It was not easy to find the problem,
given that from the logs of Z / OS KDC looked like a kerberos problem. Instead
the true problem was that the Z/OS KDC was using code page IBM-1047
while the FTP server uses the code page IBM-280. And between the two
different code pages, in particular, the hexadecimal representation of
the @ character in IBM-280 matches the character §, and vice versa.
In particular in the ftp server configuration file 'ftp.env' was
defined as the variable:
LC_ALL = It_IT.IBM-280
While in the configuration file kdc 'envar' was defined in the variable:
LANG = En_US.IBM-1047
I have then changed the code page of the IBM ftp to IBM-1047.
And work perfectly.
Thanks again
More information about the Kerberos
mailing list