Kerberized FTP service

[mosx86]

I’m trying to get FTP up and running using only kerberos for authentication. Service is starting up with no errors, but I can’t get and “kerberized” ftp clients to connect, both Mac or PC. On the Mac I’m trying to connect with Fetch 5.2 via GSSAPI. On the PC, I’m using FileZilla. In both cases I’m getting the same error message:

Here is the transcript from Fetch:

Connecting to FQHN.com port 21 (Mac OS X firewall is off) (5/24/07 3:19:16 PM)
Connected to IPobscurred port 21 (5/24/07 3:19:16 PM)
220——————————————————————————–
220-This is the “Banner” message for the Mac OS X Server’s FTP server process.
220-
220- FTP clients will receive this message immediately
220- before being prompted for a name and password.
220-
220-PLEASE NOTE:
220-
220- Some FTP clients may exhibit problems if you make this file too long.
220-
220——————————————————————————–
220-
220 FQHN.com FTP server ready.
ADAT
503 You must issue an AUTH first.
AUTH This command is checking whether this server supports Kerberos or GSS security, see RFC 2228
504 This command is checking whether this server supports Kerberos or GSS security, see RFC 2228 is unknown to me
AUTH GSSAPI
334 Send authorization data.
gss_send_tok_buff = [email protected]
ADAT
535-GSSAPI error major: Incorrect channel bindings were supplied
535-GSSAPI error minor: No error
535 GSSAPI error: accepting context [ Incorrect channel bindings were supplied – No error ]
release 2
service 0gss_send_tok_buff = [email protected]
ADAT
535-GSSAPI error major: Miscellaneous failure
535-GSSAPI error minor: Wrong principal in request
535 GSSAPI error: accepting context [ Miscellaneous failure – Wrong principal in request ]
release 2
service 1

In both cases, Apple’s Kerberos utility is getting both a FTP and Host ticket from the KDC (an Open Directory Master). On the PC, I’m also being granted tickets (using Leash).

All in all, the other kerberized services we’re offering are up and running with no issues. Has anybody gotten this to work?

[mosx86]

Some further info:

When attempting the connection I’m granted two tickets from the KDC so it appears that authentication is successful. However, the error reported is that I’m using the wrong principal. Also of note, the kdc.log is empty. Has apple redirected kdc.log messages to another log file?

Principal: [email protected]
Service: ftp/[email protected]
Version: Kerberos V5
Status: Valid

Flags:
Forwardable: Yes
Forwarded: No
Proxiable: Yes
Proxied: No
Postdatable: No
Postdated: No
Invalid: No
Renewable: Y es
Initial: No
Preauthenticated: Yes
Hardware Auththenticated: No
Is S-key: No

IP Addresses: None

#####

Principal: [email protected]
Service: host/[email protected]
Version: Kerberos V5
Status: Valid

Flags:
Forwardable: Yes
Forwarded: No
Proxiable: Yes
Proxied: No
Postdatable: No
Postdated: No
Invalid: No
Renewable: Y es
Initial: No
Preauthenticated: Yes
Hardware Auththenticated: No
Is S-key: No

IP Addresses: None

[mosx86]

I’ve been told that the error is mostly like associated with NAT, unfortunately– I’m not using NAT, however I would like to take a look at the server IP address in the ticket’s I’m assigned. If I inspect the tickets in Apple’s Kerberos.app, it gives me the FQHN. Does anyone here know how to view the actual IP?

[mosx86]

[QUOTE][u]Quote by: MacTroll[/u][p]Your FQDN match up with the IP address that you’re using?
[code]
host yourname.com
[/code]
Would tell you what DNS is resolving it to.[/p][/QUOTE]

Yeah, I’ve done both forward and reverse lookups on the host and server… Everything pans out. Single signon is working fine for AFP, and mail. The server appears to be handing out addressless tickets which is the workaround for NAT issues…

[Author]

Posts