In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] ("Pierre Goyette") wrote: > I have a Solaris box with MIT Kerberos 1.3.3 installed as an application > server which is part of a Windows 2000 KDC. > > I can perform a kerberized telnet to the box perfectly. However, I > cannot ftp to the box. ... > A Ethereal trace shows the client receiving a 501-GSSAPI error minor: no > principal in keytab matches desired name. ... > On my client, I properly acquire all the right tickets, klist -e shows: > > Ticket cache: API:krb5cc > Default principal: [EMAIL PROTECTED] > Valid starting Expires Service principal > 06/08/04 08:01:18 06/08/04 18:01:18 > krbtgt/[EMAIL PROTECTED] > renew until 06/15/04 08:01:18, Etype (skey, tkt): ArcFour with HMAC/md5, > ArcFour with HMAC/md5 > 06/08/04 12:04:48 06/08/04 18:01:18 > host/[EMAIL PROTECTED] > renew until 06/15/04 08:01:18, Etype (skey, tkt): DES cbc mode with > RSA-MD5, DES cbc mode with RSA-MD5 > 06/08/04 12:05:47 06/08/04 18:01:18 > ftp/[EMAIL PROTECTED] > renew until 06/15/04 08:01:18, Etype (skey, tkt): DES cbc mode with > CRC-32, DES cbc mode with CRC-32 > Kerberos 4 ticket cache: API:krb4cc
I see your ftp service ticket's encryption is different from the host service ticket. If you could, as root, try $ klist -k -e does the ftp key's encryption type match your service ticket? Donn Cave, [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos