Query regarding cross realm authentication

[Alpa]

Hi all,

I am new to kerberos.I have installed MIT kerberos on 2 machines on two
different realms.I have added the principals
krbtgt/ONE.COM at TWO.COM  and
krbtgt/TWO.COM at ONE.COM on both kdc's
also i have added the service ftp/kdc.one.com at one.com

i m on TWO.COM

i do kinit alpa and get the initial ticket

When i run ftp -n kdc.one.com i get the service principal and it gives me
this message

Connected to kdc.one.com.
220 kdc.one.com FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI authentication succeeded

but i cannot run any ftp commands ...if i do ls -l then i get this message

530 Please login with USER and PASS.
Passive mode refused.  Turning off passive mode.
200 PORT command successful.
530 Please login with USER and PASS.

then when i type user and enter my user name it says

530 GSSAPI user alpa at TWO.COM is not authorized as alpa; Access denied.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

i m unable to run any ftp commands....

i am able to get the cross realm ticket and also the service ticket....

can anyone please help me as to where are things going wrong

Thanx
Alpa

*********************************************************
Disclaimer

This message (including any attachments) contains 
confidential information intended for a specific 
individual and purpose, and is protected by law. 
If you are not the intended recipient, you should 
delete this message and are hereby notified that 
any disclosure, copying, or distribution of this
message, or the taking of any action based on it, 
is strictly prohibited.

*********************************************************

Visit us at http://www.mahindrabt.com