[23853] in Kerberos
Re: can we FTP upload behind firewall and NAT
daemon@ATHENA.MIT.EDU (Markus Moeller)
Mon May 9 14:56:31 2005
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Sun, 8 May 2005 21:33:43 +0100
Message-ID: <427e77ac$0$39096$ed2e19e4@ptn-nntp-reader04.plus.net>
To: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Shih-Chieh
You can use it behind a firewall if you switch off the channel binding. If I
remember right the latest MIT sources don't use channel bindings anymore,
Heimdal and proftpd with mod_gss have an option for the daemon to switch it
off.
The other problem you may have is that the FW can't inspect to PORT/PASV
command anymore to open the right ports of a stateful firewall and to
replace ports if needed.
Regards
Markus
"Shih-Chieh Hsu" <schsu@fnal.gov> wrote in message
news:427DBD95.5070906@fnal.gov...
> Hi!
>
> Does anyone ever succeed upload files to a kerberised server from
> a compute node behind a firewall and NAT.
>
> Here's the error message.
> 1. I tried getting addressless credentials by doing 'kinit -n'.
> 2. However, ftp gives me following error.
> GSSAPI accepted as authentication type
> GSSAPI error major: Incorrect channel bindings were supplied
> GSSAPI error minor: No error
> GSSAPI error: accepting context
> GSSAPI ADAT failed
> GSSAPI authentication failed
> KERBEROS_V4 accepted as authentication type
> Kerberos V4 krb_mk_req failed: You have no tickets cached
> Name (fcdfdata114.fnal.gov:schsu): schsu
> Password:
> Login failed.
> Remote system type is UNIX.
> Using binary mode to transfer files.
>
>
> many thanks,
>
> Shih-Chieh
> ps I've tried that anonymous with passive mode allow me download file.
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
