LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

July 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS July 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: ftp
From:	Steven Timm <[log in to unmask]>
Reply To:	Steven Timm <[log in to unmask]>
Date:	Thu, 30 Jul 2009 11:55:37 -0500
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (99 lines)

What happens, if, as root on the server, you do

kinit -k [log in to unmask]

klist -f

That will show you if the ftp principal in the  keytab is OK.  Given the 
different version numbers it might not be.

Steve


On Thu, 30 Jul 2009, Ron Rechenmacher wrote:

> Hi Steve,
> The account is my own user account and I can ssh to it.
> I currently have iptables off.
> I do have:
> ftpd: ALL
> in /etc/hosts.allow
> and
> ALL: ALL: banners /etc/banners
> in host.deny (again, I can ssh into the node just fine).
> Thanks for the reply.
> This problem is puzzling to me.
>
> I tied added the -v option (actually -v -v -v just in case) to server_args in 
> xinetd.d/gssftp. I just get the additional info of importing the ftp and host 
> principal info (from the keytab).
> In my /etc/krb5.keytab file I do see something a bit strange:
> The KVNO for the ftp entry is 3 while the host line has KVNO 6.
>
> --Ron
>
> Steven Timm wrote:
>> Does the account that you are trying to ftp into on the
>> server side have a valid shell?  is that shell listed in /etc/shells?
>> Is ftpd open in the iptables on the server side, and in /etc/hosts.allow,
>> hosts.deny?
>> 
>> Steve
>> 
>> 
>> 
>> On Thu, 30 Jul 2009, Ron Rechenmacher wrote:
>> 
>>> Hi,
>>> I'm having trouble connecting to a SLF5 kerberized ftpd from an SLF5 
>>> kerberized ftp client.
>>> 
>>> On the server, I'm using:
>>> rpm -qf /usr/kerberos/sbin/ftpd
>>> krb5-workstation-1.6.1-31.el5_3.3.x86_64
>>> 
>>> On the client, I'm using:
>>> rpm -qf rpm -qf /usr/kerberos/bin/ftp
>>> krb5-workstation-1.6.1-31.el5_3.3.x86_64
>>> 
>>> 
>>> On the client side, I get:
>>> ...
>>> GSSAPI error major: Unspecified GSS failure.  Minor code may provide more 
>>> information
>>> GSSAPI error minor: Permission denied
>>> GSSAPI error: acquiring credentials
>>> GSSAPI ADAT failed
>>> GSSAPI authentication failed
>>> ...
>>> 
>>> 
>>> and on the server side, in /var/log/messages, I get:
>>> ...
>>>   ftpd[25305]: gssapi error acquiring credentials
>>> ...
>>> 
>>> I do have a valid ticket! and I can connect to another SLF5 node, so it 
>>> seems to be a server issue.
>>> 
>>> I've tried looking at the kdc logs on fnalu...
>>> I use to be able to "tail -f" the log in the tmp directory but now I can 
>>> just see a log file that seems to be several hours old. In that log file, 
>>> however, I do see an "ISSUE:" line for my server, so it would appear that 
>>> I do have a valid ftp principal.
>>> 
>>> Any suggestions?
>>> 
>>> Thanks,
>>> Ron
>>> 
>> 
>

-- 
------------------------------------------------------------------
Steven C. Timm, Ph.D  (630) 840-8525
[log in to unmask]  http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Assistant Group Leader.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV