SCIENTIFIC-LINUX-USERS Archives

July 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: ftp
From:
Ron Rechenmacher <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Thu, 30 Jul 2009 11:40:25 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (77 lines) 
Hi Steve,
The account is my own user account and I can ssh to it.
I currently have iptables off.
I do have:
ftpd: ALL
in /etc/hosts.allow
and
ALL: ALL: banners /etc/banners
in host.deny (again, I can ssh into the node just fine).
Thanks for the reply.
This problem is puzzling to me.

I tied added the -v option (actually -v -v -v just in case) to 
server_args in xinetd.d/gssftp. I just get the additional info of 
importing the ftp and host principal info (from the keytab).
In my /etc/krb5.keytab file I do see something a bit strange:
The KVNO for the ftp entry is 3 while the host line has KVNO 6.

--Ron

Steven Timm wrote:
> Does the account that you are trying to ftp into on the
> server side have a valid shell?  is that shell listed in /etc/shells?
> Is ftpd open in the iptables on the server side, and in /etc/hosts.allow,
> hosts.deny?
> 
> Steve
> 
> 
> 
> On Thu, 30 Jul 2009, Ron Rechenmacher wrote:
> 
>> Hi,
>> I'm having trouble connecting to a SLF5 kerberized ftpd from an SLF5 
>> kerberized ftp client.
>>
>> On the server, I'm using:
>> rpm -qf /usr/kerberos/sbin/ftpd
>> krb5-workstation-1.6.1-31.el5_3.3.x86_64
>>
>> On the client, I'm using:
>> rpm -qf rpm -qf /usr/kerberos/bin/ftp
>> krb5-workstation-1.6.1-31.el5_3.3.x86_64
>>
>>
>> On the client side, I get:
>> ...
>> GSSAPI error major: Unspecified GSS failure.  Minor code may provide 
>> more information
>> GSSAPI error minor: Permission denied
>> GSSAPI error: acquiring credentials
>> GSSAPI ADAT failed
>> GSSAPI authentication failed
>> ...
>>
>>
>> and on the server side, in /var/log/messages, I get:
>> ...
>>   ftpd[25305]: gssapi error acquiring credentials
>> ...
>>
>> I do have a valid ticket! and I can connect to another SLF5 node, so 
>> it seems to be a server issue.
>>
>> I've tried looking at the kdc logs on fnalu...
>> I use to be able to "tail -f" the log in the tmp directory but now I 
>> can just see a log file that seems to be several hours old. In that 
>> log file, however, I do see an "ISSUE:" line for my server, so it 
>> would appear that I do have a valid ftp principal.
>>
>> Any suggestions?
>>
>> Thanks,
>> Ron
>>
>

ATOM RSS1 RSS2