Hi Ken and Douglas, Thanks a lot for answering my question!
I changed the hostname of my server and client to server.james.com and client.james.com respetively. The 220 reply shows the FQDN of server : 220 server.james.com FTP server (Version 5.60) ready. However, I get another error : Key version number for principal in key table is incorrect. I checked klist -ke and getprinc on client.james.com(see output below). The KVNO is different for both ftp/server.james.com and host/server.james.com. I think the reason they are different is that I added the key for principal ftp/server.james.com, host/server.james.com on both server and client. Each time I run ktadd for a principal, the KVNO increases. If I remove these two keys on the server, I got the same error "GSSAPI error minor: No principal in keytab matches desired name" again. Should I use "ktadd" to add these keys to keytab on server.james.com or client.james.com or both? Could you give me some suggestion what I should try next? ( I attached some console output below) =========== Output =========== [EMAIL PROTECTED] bin]# ./ftp -d -v server.james.com Connected to server.james.com. 220 server.james.com FTP server (Version 5.60) ready. ---> AUTH GSSAPI 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type Trying to authenticate to <[EMAIL PROTECTED]> calling gss_init_sec_context ---> ADAT YIICLAYJKoZIhvcSAQICAQBuggIbMIICF6ADAgEFoQMCAQ6iBwMFACAAAACjggErYYIBJzCC ASOgAwIBBaELGwlKQU1FUy5DT02iIjAgoAMCAQOhGTAXGwNmdHAbEHNlcnZlci5qYW1lcy5j b22jgeowgeegAwIBF6EDAgEFooHaBIHX43Oby3HLuJ5OZcQzUg59wDWbdGIPt6dbBUJvZkfw RIlcacv93w1g+fVJzzCC/qgJyKk6Yb9/7ivGjjnF6N0TnUM7yVzl9oImD46dBjO0MQAHlLD/ 3EnqI1jvKOuxuCLqKzt7afkJil+gZgPabzS+7KNLuHIeaF7cxRT65N1Y0ddtA35ox5eBJGUX 04rM+y4APqZetwM5TXyNBoQHbuM4NRlyIUmNi8+Y68uTYjSX6T8NJ0IrlmqJurDopeuS/caU EoHkgU9B4JXkeWFM3kU7cz3nvUrGsh+kgdIwgc+gAwIBEKKBxwSBxEhgQciZuAXU61lYBFd8 zFgrAT3G09KyM5ecwFXnljCwkW2VnUxsDHika9WgOU5tx9ILjwI3TIkOv7YRNdnMJtNhFN8J qEiGIasR7KY+Ws+U3FS3k77z2yk40tSmHmo21rJfkLUHbakty2nuib4t/6xHhnkidGQktf/e SETmh11yNaf5oA9nux3uHag741Avj5JlIxObMhIW1+CvCZVSlnDAA6I1TmuiAeTQFX/V+f60 izV1iyD4Qy/RU7Q+tOkFiRLTd3E= ---> AUTH GSSAPI Trying to authenticate to <[EMAIL PROTECTED]> calling gss_init_sec_context ---> ADAT YIICLQYJKoZIhvcSAQICAQBuggIcMIICGKADAgEFoQMCAQ6iBwMFACAAAACjggEsYYIBKDCC ASSgAwIBBaELGwlKQU1FUy5DT02iIzAhoAMCAQOhGjAYGwRob3N0GxBzZXJ2ZXIuamFtZXMu Y29to4HqMIHnoAMCARehAwIBBaKB2gSB1ylbx1cySCBu+LUIxEK9Lj+pcn1A8/XIM+TgDUbU uv4baZb7gXTiDJnT+dlZwYeQaui8DjZcaMafHlao1U51jQP4la+fJJWusrOk2zg6ppEtiWbY K7+8KgYqqlbXXB3Gu5Hm9mW2CdhXJWr45gpE1ZPfyvCsWhOgwK3HYsyLGMGZ8F7qwhKka7MH 2I3sTgfxSsdFoZQdQA1A0l4UCnRS//jRJXWgJBBenSy7mOQ3pIin+JFg+KglrDQl3+9sHec7 PVzmXYEu9AtZ1jo/guncD2yavVSwdmdlpIHSMIHPoAMCARCigccEgcTAKXCd/Wr9ym8K23Ss SyIe87Hr73eiXbGxWUEC6sewaWcCkLkLPEk0eeFcz3cbtgBjOyl42M3pzf28c7YZ2CIgztzG voQscOZHL9TsjmwYf6zUYrwytZF9V8Q7kaCZ2iKzFKr6s72fQbb1kFcxjrs7FMXf9xgOvH6R lp7X8Y5GyylkJJbeDeF4dOelndsVq/YwJCPdwLs/lJ9BTc4SHdoxnpffNOy8Q6ZSYOIwIz6/ s60pkBKqai0rxqW9Izfx5oq0/Krr GSSAPI error major: Miscellaneous failure GSSAPI error minor: Key version number for principal in key table is incorrect GSSAPI error: accepting context GSSAPI ADAT failed ---> AUTH GSSAPI GSSAPI authentication failed ---> AUTH KERBEROS_V4 KERBEROS_V4 accepted as authentication type Kerberos V4 krb_mk_req failed: You have no tickets cached Name (server.james.com:root): [EMAIL PROTECTED] bin]# ./klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- ------------------------------------------------------------------------ -- 9 ftp/[EMAIL PROTECTED] (etype 23) 9 ftp/[EMAIL PROTECTED] (DES with HMAC/sha1) 9 ftp/[EMAIL PROTECTED] (Triple DES cbc mode with HMAC/sha1) 9 ftp/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5) 5 host/[EMAIL PROTECTED] (etype 23) 5 host/[EMAIL PROTECTED] (Triple DES cbc mode with HMAC/sha1) 5 host/[EMAIL PROTECTED] (DES with HMAC/sha1) 5 host/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5) 5 root/[EMAIL PROTECTED] (etype 23) 5 root/[EMAIL PROTECTED] (DES with HMAC/sha1) 5 root/[EMAIL PROTECTED] (Triple DES cbc mode with HMAC/sha1) 5 root/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5) kadmin: getprinc ftp/server.james.com Principal: ftp/[EMAIL PROTECTED] Expiration date: [never] Last password change: Tue Nov 16 15:50:02 PST 2004 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 0 days 00:00:00 Last modified: Tue Nov 16 15:50:02 PST 2004 (root/[EMAIL PROTECTED]) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 4 Key: vno 11, <Encryption type 0x17>, no salt Key: vno 11, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 11, DES with HMAC/sha1, no salt Key: vno 11, DES cbc mode with RSA-MD5, no salt Attributes: Policy: [none] kadmin: getprinc host/server.james.com Principal: host/[EMAIL PROTECTED] Expiration date: [never] Last password change: Tue Nov 16 15:49:54 PST 2004 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 0 days 00:00:00 Last modified: Tue Nov 16 15:49:54 PST 2004 (root/[EMAIL PROTECTED]) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 4 Key: vno 7, <Encryption type 0x17>, no salt Key: vno 7, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 7, DES with HMAC/sha1, no salt Key: vno 7, DES cbc mode with RSA-MD5, no salt Attributes: Policy: [none] kadmin: Thanks a lot! James -----Original Message----- From: Ken Raeburn [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 3:34 PM To: James Chen Cc: Ken Raeburn; [EMAIL PROTECTED] Subject: Re: Kerberos5 FTP not working. Neep Help! Yes, with the hostname set to server.james.com, that looks better. Does the ftp server work properly now? Ken ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
