[27888] in Kerberos
Re: kerberized FTP service w/ Mac OS 10.4 server
daemon@ATHENA.MIT.EDU (Luke Brannon)
Wed Jun 6 14:05:41 2007
Mime-Version: 1.0 (Apple Message framework v752.2)
In-Reply-To: <702B55CA-ECF0-4FA3-B1F2-EC39C1B3A2C0@gseis.ucla.edu>
Message-Id: <866813F0-E82E-4CB8-BA85-5F91322342CD@gseis.ucla.edu>
From: Luke Brannon <brannon@gseis.ucla.edu>
Date: Wed, 6 Jun 2007 11:05:24 -0700
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Some further info...
When I attempt to connect to the server via Fetch 5.2 or Filezilla I
am granted two tickets (see below). The error I'm getting is: Wrong
principal in request. I'm not able to see which principle Fetch or
Filezilla is sending. Unfortunately the server's kdc.log has no info
in it.
Principal: username@KDC.DOMAIN.COM
Service: ftp/fqhn.com@KDC.DOMAIN.COM
Version: Kerberos V5
Status: Valid
Flags:
Forwardable: Yes
Forwarded: No
Proxiable: Yes
Proxied: No
Postdatable: No
Postdated: No
Invalid: No
Renewable: Y es
Initial: No
Preauthenticated: Yes
Hardware Auththenticated: No
Is S-key: No
IP Addresses: None
#####
Principal: username@KDC.DOMAIN.COM
Service: host/fqhn.com@KDC.DOMAIN.COM
Version: Kerberos V5
Status: Valid
Flags:
Forwardable: Yes
Forwarded: No
Proxiable: Yes
Proxied: No
Postdatable: No
Postdated: No
Invalid: No
Renewable: Y es
Initial: No
Preauthenticated: Yes
Hardware Auththenticated: No
Is S-key: No
IP Addresses: None
Regards,
Luke
On May 25, 2007, at 4:28 PM, Luke Brannon wrote:
> Trying to set up FTP on Mac OS 10.4 server using Kerb for
> authentication. I've attempted client connections using Fetch v5.2
> on the Mac (using GSSAPI) as well as with Filezilla (using GSSAPI)
> and in both cases I am granted a host and ftp ticket, but I get the
> error:
>
> AUTH GSSAPI
> 334 Send authorization data.
> gss_send_tok_buff = ftp@FQHN.com
> ADAT
> 535-GSSAPI error major: Incorrect channel bindings were supplied
> 535-GSSAPI error minor: No error
> 535 GSSAPI error: accepting context [ Incorrect channel bindings
> were supplied - No error ]
> release 2
> service 0gss_send_tok_buff = host@FQHN.com
> ADAT
> 535-GSSAPI error major: Miscellaneous failure
> 535-GSSAPI error minor: Wrong principal in request
> 535 GSSAPI error: accepting context [ Miscellaneous failure - Wrong
> principal in request ]
> release 2
> service 1
>
> I'm not sure if this is a server-side or client-side issue. All
> other kerberized services on the server are working fine (both AFP
> and mail). Server logs show the user successfully authenticating.
> Is there any additional configuration needed on the server end? My
> queries against Apple's support docs haven't turned anything up,
> nor has google.
>
> Regards,
>
> Luke
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
