GSSFTP / Kerberos question

Broekman, Maarten Maarten.Broekman at FMR.COM
Wed Nov 11 22:31:51 UTC 2009


>  >
>  >>> more information
>  >>> GSSAPI error minor: Unknown code krb5 144
>  >>> GSSAPI error: accepting context
>  >>> GSSAPI ADAT failed
>  >>> GSSAPI authentication failed
>  >>>
>  >>> Connections to the primary hostname work:
>  >>> 334 Using authentication type GSSAPI; ADAT must follow
>  >>> GSSAPI accepted as authentication type
>  >>> GSSAPI authentication succeeded
>  >>>
>  >>> Looking at the Kerberos error code though, it says that 144 is
>  > "Wrong
>  >>> principal in request".  Anyone have an idea on what needs to be
>  > done to
>  >>> get this working?
>  >>>
>  >>> Thanks,
>  >>> Maarten
>  >>>
>  >>
>  >> Can you resolv your secound hostname where you have the secound
>  >> principal?
>  >>
>  >> Thomas
>  >
>  > Yes.  DNS is functioning properly and I can log in with my
password,
>  but
>  > not via GSSAPI.  I've also tried putting the extra_addresses and
>  > scan_interfaces options in my krb5.conf but that hasn't helped
either.
>  >
>  > Could this be a routing issue?  My default route points out the
primary
>  > hostname interface.  There are no specific routes for the secondary
>  > hostname though.
>  
>  I think your first and secound ip is in the same subnet for that you
need
>  the same default gateway.
>  
>  There are to princs like:
>  
>  ftp/foo1.bar.com
>  ftp/foo2.bar.com
>  
>  and
>  
>  host/foo1.bar.com
>  host/foo2.bar.com
>  
>  Maybe you can try GSS with ssh login for hostname1 and hostname2.
>  Or something selinux missing?
>  
>  Thomas

We have selinux completely disabled.
We have the host/foo1.bar.com and host/foo2.bar.com princs.  I tried
adding the ftp/ princs but it didn't seem to make a difference.

Ssh with GSSAPIAuthentication turned on works for the primary hostname,
but prompts for passwords on the alternate names, just like.  It works
fine with CNAMEs though, so ssh alias1.bar.com lets me in just like ssh
foo1.bar.com (just like ftp).

--Maarten





More information about the redhat-list mailing list