Subject: | FTP - GSSAPI Error acquiring credentials |
Date: | Tue, 8 Jun 2004 13:01:03 -0400 |
From: | "Pierre Goyette" <pierre@montreal.hcl.com> |
To: | <kfw-bugs@mit.edu> |
I have a Solaris box
with MIT Kerberos 1.3.3 installed as an application server which is part of a
Windows 2000 KDC.
I can perform a
kerberized telnet to the box perfectly. However, I cannot ftp to the box. In my
system log (and I enabled debugging for ftpd), I see:
Jun 8 12:51:04
ultra ftpd[1062]: [ID 291755 daemon.info] importing <ftp@ultra>
Jun 8 12:51:04 ultra ftpd[1062]: [ID 291755 daemon.info] importing <host@ultra>
Jun 8 12:51:04 ultra ftpd[1062]: [ID 399347 daemon.error] gssapi error acquiring credentials
Jun 8 12:51:04 ultra ftpd[1062]: [ID 291755 daemon.info] importing <host@ultra>
Jun 8 12:51:04 ultra ftpd[1062]: [ID 399347 daemon.error] gssapi error acquiring credentials
A Ethereal trace
shows the client receiving a 501-GSSAPI error minor: no principal in keytab
matches desired name.
ktutil on the host
shows:
# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 host/ultra.mtlw2ktest.montreal.hcl.com@MTLW2KTEST.MONTREAL.HCL.COM
2 1 ftp/ultra.mtlw2ktest.montreal.hcl.com@MTLW2KTEST.MONTREAL.HCL.COM
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 host/ultra.mtlw2ktest.montreal.hcl.com@MTLW2KTEST.MONTREAL.HCL.COM
2 1 ftp/ultra.mtlw2ktest.montreal.hcl.com@MTLW2KTEST.MONTREAL.HCL.COM
On my client, I
properly acquire all the right tickets, klist -e shows:
Ticket cache:
API:krb5cc
Default principal:
pierre@MTLW2KTEST.MONTREAL.HCL.COM
Valid starting Expires Service
principal
06/08/04 08:01:18 06/08/04 18:01:18
krbtgt/MTLW2KTEST.MONTREAL.HCL.COM@MTLW2KTEST.MONTREAL.HCL.COM
renew until 06/15/04 08:01:18, Etype (skey, tkt):
ArcFour with HMAC/md5, ArcFour with HMAC/md5
06/08/04 12:04:48 06/08/04 18:01:18
host/ultra.mtlw2ktest.montreal.hcl.com@MTLW2KTEST.MONTREAL.HCL.COM
renew until 06/15/04 08:01:18, Etype (skey, tkt):
DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5
06/08/04 12:05:47 06/08/04 18:01:18
ftp/ultra.mtlw2ktest.montreal.hcl.com@MTLW2KTEST.MONTREAL.HCL.COM
renew until 06/15/04 08:01:18, Etype (skey, tkt):
DES cbc mode with CRC-32, DES cbc mode with CRC-32
Kerberos 4 ticket cache: API:krb4cc
On my FTP client, I
tried using either 'host' or 'ftp' as the GSS Service Name and still get the
same error.
What could be the
problem?
TIA,
Pierre
Goyette