On Tuesday, September 17, 2002, at 12:04 PM, Steve Langasek wrote:
> On Tue, Sep 17, 2002 at 11:44:14AM -0700, timothy perfitt wrote: > >> My question is this: does the name of a service, ie ftpd, have to be >> part of the principal name of the service (ie >> [EMAIL PROTECTED])? > > This is application-specific. Some use host/fqdn as their service > principal; some use an app-specific principal; some have configurable > behavior. What ftp server are you using? The ftp server on Mac OS X Server is xftpd. When connecting, you get this tag line: server (Version: Mac OS X Server 10.2 - +GSSAPI) ready. Apple says that the mail server on Mac OS X is Kerberized, as well as ftp (xftpd) and AFP (Apple File Protocol) service. From what you wrote, I may need a app specific service principal for each service, or the host/FQDN may do, depending on how the service was kerberized. That would make sense with the error messages I am getting for the Mail Server. > >> Do I even need a service key in krb5.keytab on the server? > > You need to have one in *some* keytab on the server. Unless otherwise > configured, this should be krb5.keytab. I have tried many different service principals in the krb5.keytab, using host/FQDN or <servicename>/FQDN, and lots of others. All of them gave the same error message (except when I removed the krb5.keytab file, I got an error that it didn't exist, which tells me that it is at least being referenced!). The error message was from the Apple Mail Server service. Now that I realized that may be application specific, I'll focus on getting xftpd up and running. > >> My understanding is that Kerberos provides assurance that a specific >> user on a specific host is authorized to connect to a specific server. > > Um... no. Kerberos *authenticates* users, so that the server has > assurance of the client's identity. It says nothing about what access > they should be granted (authorization), just determines who they are > (authentication). I was a bit confused as to why the client passes along the ticket for a service that it got from the KDC. I thought this meant that the client is authorized to talk to the server. I now realize that this is to prove to the server (or service) that the client talked to the KDC and the KDC encrypted the user's credentials with the servers key to give a secure way of providing the user's username to the service. Thanks! Timothy Perfitt ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
