Kerberized FTP service

mosx86

18 years ago

I'm trying to get FTP up and running using only kerberos for authentication. Service is starting up with no errors, but I can't get and "kerberized" ftp clients to connect, both Mac or PC. On the Mac I'm trying to connect with Fetch 5.2 via GSSAPI. On the PC, I'm using FileZilla. In both cases I'm getting the same error message: Here is the transcript from Fetch: Connecting to FQHN.com port 21 (Mac OS X firewall is off) (5/24/07 3:19:16 PM) Connected to IPobscurred port 21 (5/24/07 3:19:16 PM) 220-------------------------------------------------------------------------------- 220-This is the "Banner" message for the Mac OS X Server's FTP server process. 220- 220- FTP clients will receive this message immediately 220- before being prompted for a name and password. 220- 220-PLEASE NOTE: 220- 220- Some FTP clients may exhibit problems if you make this file too long. 220- 220-------------------------------------------------------------------------------- 220- 220 FQHN.com FTP server ready. ADAT 503 You must issue an AUTH first. AUTH This command is checking whether this server supports Kerberos or GSS security, see RFC 2228 504 This command is checking whether this server supports Kerberos or GSS security, see RFC 2228 is unknown to me AUTH GSSAPI 334 Send authorization data. gss_send_tok_buff = ftp@FQHN.com ADAT 535-GSSAPI error major: Incorrect channel bindings were supplied 535-GSSAPI error minor: No error 535 GSSAPI error: accepting context [ Incorrect channel bindings were supplied - No error ] release 2 service 0gss_send_tok_buff = host@FQHN.com ADAT 535-GSSAPI error major: Miscellaneous failure 535-GSSAPI error minor: Wrong principal in request 535 GSSAPI error: accepting context [ Miscellaneous failure - Wrong principal in request ] release 2 service 1 In both cases, Apple's Kerberos utility is getting both a FTP and Host ticket from the KDC (an Open Directory Master). On the PC, I'm also being granted tickets (using Leash). All in all, the other kerberized services we're offering are up and running with no issues. Has anybody gotten this to work?