SCIENTIFIC-LINUX-USERS Archives

July 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: ftp
From:
Ron Rechenmacher <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Thu, 30 Jul 2009 12:29:28 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (102 lines) 
Thanks for this "chant" (I hadn't learned/used the -k flag before :)
I was able to successfully kinit -k for both the host and ftp 
principals. So the ftp principal is OK and something else must be wrong.
Thanks again Steve.

--Ron

Steven Timm wrote:
> What happens, if, as root on the server, you do
> 
> kinit -k [log in to unmask]
> 
> klist -f
> 
> That will show you if the ftp principal in the  keytab is OK.  Given the 
> different version numbers it might not be.
> 
> Steve
> 
> 
> On Thu, 30 Jul 2009, Ron Rechenmacher wrote:
> 
>> Hi Steve,
>> The account is my own user account and I can ssh to it.
>> I currently have iptables off.
>> I do have:
>> ftpd: ALL
>> in /etc/hosts.allow
>> and
>> ALL: ALL: banners /etc/banners
>> in host.deny (again, I can ssh into the node just fine).
>> Thanks for the reply.
>> This problem is puzzling to me.
>>
>> I tied added the -v option (actually -v -v -v just in case) to 
>> server_args in xinetd.d/gssftp. I just get the additional info of 
>> importing the ftp and host principal info (from the keytab).
>> In my /etc/krb5.keytab file I do see something a bit strange:
>> The KVNO for the ftp entry is 3 while the host line has KVNO 6.
>>
>> --Ron
>>
>> Steven Timm wrote:
>>> Does the account that you are trying to ftp into on the
>>> server side have a valid shell?  is that shell listed in /etc/shells?
>>> Is ftpd open in the iptables on the server side, and in 
>>> /etc/hosts.allow,
>>> hosts.deny?
>>>
>>> Steve
>>>
>>>
>>>
>>> On Thu, 30 Jul 2009, Ron Rechenmacher wrote:
>>>
>>>> Hi,
>>>> I'm having trouble connecting to a SLF5 kerberized ftpd from an SLF5 
>>>> kerberized ftp client.
>>>>
>>>> On the server, I'm using:
>>>> rpm -qf /usr/kerberos/sbin/ftpd
>>>> krb5-workstation-1.6.1-31.el5_3.3.x86_64
>>>>
>>>> On the client, I'm using:
>>>> rpm -qf rpm -qf /usr/kerberos/bin/ftp
>>>> krb5-workstation-1.6.1-31.el5_3.3.x86_64
>>>>
>>>>
>>>> On the client side, I get:
>>>> ...
>>>> GSSAPI error major: Unspecified GSS failure.  Minor code may provide 
>>>> more information
>>>> GSSAPI error minor: Permission denied
>>>> GSSAPI error: acquiring credentials
>>>> GSSAPI ADAT failed
>>>> GSSAPI authentication failed
>>>> ...
>>>>
>>>>
>>>> and on the server side, in /var/log/messages, I get:
>>>> ...
>>>>   ftpd[25305]: gssapi error acquiring credentials
>>>> ...
>>>>
>>>> I do have a valid ticket! and I can connect to another SLF5 node, so 
>>>> it seems to be a server issue.
>>>>
>>>> I've tried looking at the kdc logs on fnalu...
>>>> I use to be able to "tail -f" the log in the tmp directory but now I 
>>>> can just see a log file that seems to be several hours old. In that 
>>>> log file, however, I do see an "ISSUE:" line for my server, so it 
>>>> would appear that I do have a valid ftp principal.
>>>>
>>>> Any suggestions?
>>>>
>>>> Thanks,
>>>> Ron
>>>>
>>>
>>
>

ATOM RSS1 RSS2