2010/4/10 Greg Hudson <ghud...@mit.edu>: > On Sat, 2010-04-10 at 05:28 -0400, Elia Pinto wrote: >> I can get a TGS ftp /<KDC MVS hostname>@< KDC MVS REALMS> but it seems >> that the client also requests a TGS host /<KDC MVS hostname>@< KDC MVS >> REALMS> but this one is not defined on the KDC MVS and so the ftp >> client logon fail. > > The ftp client tries to authenticate to ftp/hostname, then falls back to > host/hostname if that fails. So, no, you don't need a host/hostname > service, but you do have to figure out why the initial authentication is > failing.
First of all, thanks for the fast replay. It was not easy to find the problem, given that from the logs of Z / OS KDC looked like a kerberos problem. Instead the true problem was that the Z/OS KDC was using code page IBM-1047 while the FTP server uses the code page IBM-280. And between the two different code pages, in particular, the hexadecimal representation of the @ character in IBM-280 matches the character §, and vice versa. In particular in the ftp server configuration file 'ftp.env' was defined as the variable: LC_ALL = It_IT.IBM-280 While in the configuration file kdc 'envar' was defined in the variable: LANG = En_US.IBM-1047 I have then changed the code page of the IBM ftp to IBM-1047. And work perfectly. Thanks again ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos