kerberized FTP service w/ Mac OS 10.4 server

Discussion:

Luke Brannon

2007-05-25 23:28:27 UTC

Trying to set up FTP on Mac OS 10.4 server using Kerb for
authentication. I've attempted client connections using Fetch v5.2
on the Mac (using GSSAPI) as well as with Filezilla (using GSSAPI)
and in both cases I am granted a host and ftp ticket, but I get the
error:

AUTH GSSAPI
334 Send authorization data.
gss_send_tok_buff = ftp at FQHN.com
ADAT
535-GSSAPI error major: Incorrect channel bindings were supplied
535-GSSAPI error minor: No error
535 GSSAPI error: accepting context [ Incorrect channel bindings were
supplied - No error ]
release 2
service 0gss_send_tok_buff = host at FQHN.com
ADAT
535-GSSAPI error major: Miscellaneous failure
535-GSSAPI error minor: Wrong principal in request
535 GSSAPI error: accepting context [ Miscellaneous failure - Wrong
principal in request ]
release 2
service 1

I'm not sure if this is a server-side or client-side issue. All
other kerberized services on the server are working fine (both AFP
and mail). Server logs show the user successfully authenticating.
Is there any additional configuration needed on the server end? My
queries against Apple's support docs haven't turned anything up, nor
has google.

Regards,

Luke

Luke Brannon

2007-06-06 18:05:24 UTC

Permalink

Some further info...

When I attempt to connect to the server via Fetch 5.2 or Filezilla I
am granted two tickets (see below). The error I'm getting is: Wrong
principal in request. I'm not able to see which principle Fetch or
Filezilla is sending. Unfortunately the server's kdc.log has no info
in it.

Principal: username at KDC.DOMAIN.COM
Service: ftp/fqhn.com at KDC.DOMAIN.COM
Version: Kerberos V5
Status: Valid

Flags:
Forwardable: Yes
Forwarded: No
Proxiable: Yes
Proxied: No
Postdatable: No
Postdated: No
Invalid: No
Renewable: Y es
Initial: No
Preauthenticated: Yes
Hardware Auththenticated: No
Is S-key: No

IP Addresses: None

#####

Principal: username at KDC.DOMAIN.COM
Service: host/fqhn.com at KDC.DOMAIN.COM
Version: Kerberos V5
Status: Valid

Flags:
Forwardable: Yes
Forwarded: No
Proxiable: Yes
Proxied: No
Postdatable: No
Postdated: No
Invalid: No
Renewable: Y es
Initial: No
Preauthenticated: Yes
Hardware Auththenticated: No
Is S-key: No

IP Addresses: None

Regards,

Luke

Post by Luke Brannon
Trying to set up FTP on Mac OS 10.4 server using Kerb for
authentication. I've attempted client connections using Fetch v5.2
on the Mac (using GSSAPI) as well as with Filezilla (using GSSAPI)
and in both cases I am granted a host and ftp ticket, but I get the
AUTH GSSAPI
334 Send authorization data.
gss_send_tok_buff = ftp at FQHN.com
ADAT
535-GSSAPI error major: Incorrect channel bindings were supplied
535-GSSAPI error minor: No error
535 GSSAPI error: accepting context [ Incorrect channel bindings
were supplied - No error ]
release 2
service 0gss_send_tok_buff = host at FQHN.com
ADAT
535-GSSAPI error major: Miscellaneous failure
535-GSSAPI error minor: Wrong principal in request
535 GSSAPI error: accepting context [ Miscellaneous failure - Wrong
principal in request ]
release 2
service 1
I'm not sure if this is a server-side or client-side issue. All
other kerberized services on the server are working fine (both AFP
and mail). Server logs show the user successfully authenticating.
Is there any additional configuration needed on the server end? My
queries against Apple's support docs haven't turned anything up,
nor has google.
Regards,
Luke

Markus Moeller

2007-06-06 20:51:45 UTC

Permalink

Luke,

when using kerberised ftp the client will try first ftp ftp/fqdn principal
if that fails it uses the host principal. This is what you see in your
cache. Or original problem is related to "Incorrect channel bindings were
supplied" which usually means you are using address translation somewhere
between he client and server. Depending on the server yiu can
enable/disable that feature.

Regards
Markus

"Luke Brannon" <brannon at gseis.ucla.edu> wrote in message

Post by Luke Brannon
Some further info...
When I attempt to connect to the server via Fetch 5.2 or Filezilla I
am granted two tickets (see below). The error I'm getting is: Wrong
principal in request. I'm not able to see which principle Fetch or
Filezilla is sending. Unfortunately the server's kdc.log has no info
in it.
Principal: username at KDC.DOMAIN.COM
Service: ftp/fqhn.com at KDC.DOMAIN.COM
Version: Kerberos V5
Status: Valid
Forwardable: Yes
Forwarded: No
Proxiable: Yes
Proxied: No
Postdatable: No
Postdated: No
Invalid: No
Renewable: Y es
Initial: No
Preauthenticated: Yes
Hardware Auththenticated: No
Is S-key: No
IP Addresses: None
#####
Principal: username at KDC.DOMAIN.COM
Service: host/fqhn.com at KDC.DOMAIN.COM
Version: Kerberos V5
Status: Valid
Forwardable: Yes
Forwarded: No
Proxiable: Yes
Proxied: No
Postdatable: No
Postdated: No
Invalid: No
Renewable: Y es
Initial: No
Preauthenticated: Yes
Hardware Auththenticated: No
Is S-key: No
IP Addresses: None
Regards,
Luke

________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos