In article
<[EMAIL PROTECTED]>,
[EMAIL PROTECTED] ("Pierre Goyette") wrote:
> I have a Solaris box with MIT Kerberos 1.3.3 installed as an application
> server which is part of a Windows 2000 KDC.
>
> I can perform a kerberized telnet to the box perfectly. However, I
> cannot ftp to the box.
...
> A Ethereal trace shows the client receiving a 501-GSSAPI error minor: no
> principal in keytab matches desired name.
...
> On my client, I properly acquire all the right tickets, klist -e shows:
>
> Ticket cache: API:krb5cc
> Default principal: [EMAIL PROTECTED]
> Valid starting Expires Service principal
> 06/08/04 08:01:18 06/08/04 18:01:18
> krbtgt/[EMAIL PROTECTED]
> renew until 06/15/04 08:01:18, Etype (skey, tkt): ArcFour with HMAC/md5,
> ArcFour with HMAC/md5
> 06/08/04 12:04:48 06/08/04 18:01:18
> host/[EMAIL PROTECTED]
> renew until 06/15/04 08:01:18, Etype (skey, tkt): DES cbc mode with
> RSA-MD5, DES cbc mode with RSA-MD5
> 06/08/04 12:05:47 06/08/04 18:01:18
> ftp/[EMAIL PROTECTED]
> renew until 06/15/04 08:01:18, Etype (skey, tkt): DES cbc mode with
> CRC-32, DES cbc mode with CRC-32
> Kerberos 4 ticket cache: API:krb4cc
I see your ftp service ticket's encryption is different
from the host service ticket. If you could, as root, try
$ klist -k -e
does the ftp key's encryption type match your service ticket?
Donn Cave, [EMAIL PROTECTED]
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
