Thanks for this "chant" (I hadn't learned/used the -k flag before :)
I was able to successfully kinit -k for both the host and ftp
principals. So the ftp principal is OK and something else must be wrong.
Thanks again Steve.
--Ron
Steven Timm wrote:
> What happens, if, as root on the server, you do
>
> kinit -k [log in to unmask]
>
> klist -f
>
> That will show you if the ftp principal in the keytab is OK. Given the
> different version numbers it might not be.
>
> Steve
>
>
> On Thu, 30 Jul 2009, Ron Rechenmacher wrote:
>
>> Hi Steve,
>> The account is my own user account and I can ssh to it.
>> I currently have iptables off.
>> I do have:
>> ftpd: ALL
>> in /etc/hosts.allow
>> and
>> ALL: ALL: banners /etc/banners
>> in host.deny (again, I can ssh into the node just fine).
>> Thanks for the reply.
>> This problem is puzzling to me.
>>
>> I tied added the -v option (actually -v -v -v just in case) to
>> server_args in xinetd.d/gssftp. I just get the additional info of
>> importing the ftp and host principal info (from the keytab).
>> In my /etc/krb5.keytab file I do see something a bit strange:
>> The KVNO for the ftp entry is 3 while the host line has KVNO 6.
>>
>> --Ron
>>
>> Steven Timm wrote:
>>> Does the account that you are trying to ftp into on the
>>> server side have a valid shell? is that shell listed in /etc/shells?
>>> Is ftpd open in the iptables on the server side, and in
>>> /etc/hosts.allow,
>>> hosts.deny?
>>>
>>> Steve
>>>
>>>
>>>
>>> On Thu, 30 Jul 2009, Ron Rechenmacher wrote:
>>>
>>>> Hi,
>>>> I'm having trouble connecting to a SLF5 kerberized ftpd from an SLF5
>>>> kerberized ftp client.
>>>>
>>>> On the server, I'm using:
>>>> rpm -qf /usr/kerberos/sbin/ftpd
>>>> krb5-workstation-1.6.1-31.el5_3.3.x86_64
>>>>
>>>> On the client, I'm using:
>>>> rpm -qf rpm -qf /usr/kerberos/bin/ftp
>>>> krb5-workstation-1.6.1-31.el5_3.3.x86_64
>>>>
>>>>
>>>> On the client side, I get:
>>>> ...
>>>> GSSAPI error major: Unspecified GSS failure. Minor code may provide
>>>> more information
>>>> GSSAPI error minor: Permission denied
>>>> GSSAPI error: acquiring credentials
>>>> GSSAPI ADAT failed
>>>> GSSAPI authentication failed
>>>> ...
>>>>
>>>>
>>>> and on the server side, in /var/log/messages, I get:
>>>> ...
>>>> ftpd[25305]: gssapi error acquiring credentials
>>>> ...
>>>>
>>>> I do have a valid ticket! and I can connect to another SLF5 node, so
>>>> it seems to be a server issue.
>>>>
>>>> I've tried looking at the kdc logs on fnalu...
>>>> I use to be able to "tail -f" the log in the tmp directory but now I
>>>> can just see a log file that seems to be several hours old. In that
>>>> log file, however, I do see an "ISSUE:" line for my server, so it
>>>> would appear that I do have a valid ftp principal.
>>>>
>>>> Any suggestions?
>>>>
>>>> Thanks,
>>>> Ron
>>>>
>>>
>>
>
|