Does the account that you are trying to ftp into on the
server side have a valid shell?  is that shell listed in /etc/shells?
Is ftpd open in the iptables on the server side, and in /etc/hosts.allow,
hosts.deny?

Steve



On Thu, 30 Jul 2009, Ron Rechenmacher wrote:

> Hi,
> I'm having trouble connecting to a SLF5 kerberized ftpd from an SLF5 
> kerberized ftp client.
>
> On the server, I'm using:
> rpm -qf /usr/kerberos/sbin/ftpd
> krb5-workstation-1.6.1-31.el5_3.3.x86_64
>
> On the client, I'm using:
> rpm -qf rpm -qf /usr/kerberos/bin/ftp
> krb5-workstation-1.6.1-31.el5_3.3.x86_64
>
>
> On the client side, I get:
> ...
> GSSAPI error major: Unspecified GSS failure.  Minor code may provide more 
> information
> GSSAPI error minor: Permission denied
> GSSAPI error: acquiring credentials
> GSSAPI ADAT failed
> GSSAPI authentication failed
> ...
>
>
> and on the server side, in /var/log/messages, I get:
> ...
>   ftpd[25305]: gssapi error acquiring credentials
> ...
>
> I do have a valid ticket! and I can connect to another SLF5 node, so it seems 
> to be a server issue.
>
> I've tried looking at the kdc logs on fnalu...
> I use to be able to "tail -f" the log in the tmp directory but now I can just 
> see a log file that seems to be several hours old. In that log file, however, 
> I do see an "ISSUE:" line for my server, so it would appear that I do have a 
> valid ftp principal.
>
> Any suggestions?
>
> Thanks,
> Ron
>

-- 
------------------------------------------------------------------
Steven C. Timm, Ph.D  (630) 840-8525
[log in to unmask]  http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Assistant Group Leader.