[27889] in Kerberos
Re: kerberized FTP service w/ Mac OS 10.4 server
daemon@ATHENA.MIT.EDU (Markus Moeller)
Wed Jun 6 16:55:24 2007
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Wed, 6 Jun 2007 21:51:45 +0100
Message-ID: <f476p6$ueh$1@sea.gmane.org>
X-Complaints-To: usenet@sea.gmane.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Luke,
when using kerberised ftp the client will try first ftp ftp/fqdn principal
if that fails it uses the host principal. This is what you see in your
cache. Or original problem is related to "Incorrect channel bindings were
supplied" which usually means you are using address translation somewhere
between he client and server. Depending on the server yiu can
enable/disable that feature.
Regards
Markus
"Luke Brannon" <brannon@gseis.ucla.edu> wrote in message
news:866813F0-E82E-4CB8-BA85-5F91322342CD@gseis.ucla.edu...
> Some further info...
>
> When I attempt to connect to the server via Fetch 5.2 or Filezilla I
> am granted two tickets (see below). The error I'm getting is: Wrong
> principal in request. I'm not able to see which principle Fetch or
> Filezilla is sending. Unfortunately the server's kdc.log has no info
> in it.
>
> Principal: username@KDC.DOMAIN.COM
> Service: ftp/fqhn.com@KDC.DOMAIN.COM
> Version: Kerberos V5
> Status: Valid
>
> Flags:
> Forwardable: Yes
> Forwarded: No
> Proxiable: Yes
> Proxied: No
> Postdatable: No
> Postdated: No
> Invalid: No
> Renewable: Y es
> Initial: No
> Preauthenticated: Yes
> Hardware Auththenticated: No
> Is S-key: No
>
> IP Addresses: None
>
> #####
>
> Principal: username@KDC.DOMAIN.COM
> Service: host/fqhn.com@KDC.DOMAIN.COM
> Version: Kerberos V5
> Status: Valid
>
> Flags:
> Forwardable: Yes
> Forwarded: No
> Proxiable: Yes
> Proxied: No
> Postdatable: No
> Postdated: No
> Invalid: No
> Renewable: Y es
> Initial: No
> Preauthenticated: Yes
> Hardware Auththenticated: No
> Is S-key: No
>
> IP Addresses: None
>
> Regards,
>
> Luke
>
> On May 25, 2007, at 4:28 PM, Luke Brannon wrote:
>
>> Trying to set up FTP on Mac OS 10.4 server using Kerb for
>> authentication. I've attempted client connections using Fetch v5.2
>> on the Mac (using GSSAPI) as well as with Filezilla (using GSSAPI)
>> and in both cases I am granted a host and ftp ticket, but I get the
>> error:
>>
>> AUTH GSSAPI
>> 334 Send authorization data.
>> gss_send_tok_buff = ftp@FQHN.com
>> ADAT
>> 535-GSSAPI error major: Incorrect channel bindings were supplied
>> 535-GSSAPI error minor: No error
>> 535 GSSAPI error: accepting context [ Incorrect channel bindings
>> were supplied - No error ]
>> release 2
>> service 0gss_send_tok_buff = host@FQHN.com
>> ADAT
>> 535-GSSAPI error major: Miscellaneous failure
>> 535-GSSAPI error minor: Wrong principal in request
>> 535 GSSAPI error: accepting context [ Miscellaneous failure - Wrong
>> principal in request ]
>> release 2
>> service 1
>>
>> I'm not sure if this is a server-side or client-side issue. All
>> other kerberized services on the server are working fine (both AFP
>> and mail). Server logs show the user successfully authenticating.
>> Is there any additional configuration needed on the server end? My
>> queries against Apple's support docs haven't turned anything up,
>> nor has google.
>>
>> Regards,
>>
>> Luke
>>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
