[31574] in Kerberos
Re: ftp GSSAPI messages
daemon@ATHENA.MIT.EDU (peter sands)
Tue Oct 13 11:47:41 2009
From: peter sands <peter_sands@techemail.com>
Date: Tue, 13 Oct 2009 08:12:15 -0700 (PDT)
Message-ID: <90e345ff-2f17-4100-8fef-d1e0ecd02121@k17g2000yqb.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
> Trace the ftp server and look for ENOENT errors. I bet you'll find that
> either the krb5.conf file or the krb5.keytab file are missing.
>
> Nico
> --
Thanks, you're right I had the keytab but with wrong filename.
Now I get another error :
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: Wrong principal in request
GSSAPI error: accepting context
If I run in debug mode it first tries the ftp principal , fails with
the gssapi error, then falls back to the host principal and connects.
All looks good with the DNS and /etc/hosts, which seems to be the main
problem with this error.
The main kdc logs show a ticket for the host principal eng01 , instead
of ftp/eng01,:
Oct 13 15:35:02 elec01 /usr/krb5/sbin/krb5kdc[508042](info): AS_REQ (5
etyp
es {16 23 18 3 1}) 172.22.11.114(88): ISSUE: authtime 1255444502,
etypes {rep=16
tkt=16 ses=16}, host/eng01.mydomain.com@MYDOMAIN.COM for kadmin/
admin@MYDOMAIN.COM
$ ftp -d eng01.mydomain.com
Connected to eng01.mydomain.com.
220 syg04 FTP server (Version 4.2 Fri Mar 13 12:08:31 CDT 2009) ready.
---> AUTH GSSAPI
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
Trying to authenticate to <ftp@eng01.mydomain.com>
calling gss_init_sec_context
---> ADAT
YIICIAYJKoZIhvcSAQICAQBuggIPMIICC6ADAgEFoQMCAQ6iBwMFACAAAACjggEnYYIBIz
CCAR+gAwIBBaEMGwpBQ0VJTlMuQ09NoigwJqADAgEDoR8w
........
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: Wrong principal in request
GSSAPI error: accepting context
ADAT command failed
Trying to authenticate to <host@eng01.mydomain.com>
calling gss_init_sec_context
---> ADAT YIICIQYJKoZIhvcSAQICAQBuggIQMIICDKADAgEFoQMCA
calling gss_init_sec_context
Name (eng01.mydomain.com:psands):
ftp>
Any help please
thanks
Pete.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
