root wrote: > > how do you set the kdc to write to syslog? Is it just setting all > daemons to log somewhere (i.e. *.debug /tmp/syslog)?
See the documentation on the kdc.conf its in the doc directory, or on the web: http://web.mit.edu/kerberos/krb5-1.3/krb5-1.3.1/doc/krb5-admin.html#kdc.conf or the sample: http://web.mit.edu/kerberos/krb5-1.3/krb5-1.3.1/doc/krb5-admin.html#Sample%20kdc.conf%20File This logs to a file, but you can use syslog. > > btw, I am not changing the names in our configuration for my health or > due to personal paranoia. Last time I posted something that had info > about our internal setup my boss wanted to kill me...so I guess I am > doing for my health, hmmm...Anyway, I realize it makes things more > difficult but I really do need and appreciate the help. Unfortunatly your e-mail address is also not valid, so I assume you must be reading the list using some other name. So I can not contact you personally. > I tried to > depict the keytab and errors identical to reality with the exception > of the names being changed to protect the innocent (me from my boss). Well then you and your boss are on your own. Sorry I can help more. > So if the keytab says: > > 3 ftp/[EMAIL PROTECTED] > > you can assume correctly that my keytab says : > > 3 ftp/[EMAIL PROTECTED] The point is there is a relation between how a client determines the realm of a host. If you hid the real domain and real ream name, one can not determine if your problem is caused by your changing the names or something else. > > thanks again all... > > [EMAIL PROTECTED] ("Douglas E. Engert") wrote in message news:<[EMAIL PROTECTED]>... > > One other thing to watch is the syslog of the KDC to see what ticket is > > issed to the client which will be used with the server. This might > > indicate what principal is being used. > > > > It might be that the krb5.conf [domain_realm] or DNS is assuming the > > server is in a different realm. You did not indicate if this was set correctly. > > > > > > (It apears you are changing the names of the hosts and realm to try > > and be anonymous. This makes it harder to debug, as you may be hiding > > a clue to the problem.) > > > > root wrote: > > > > > > Subject: kerberos ftpd bug? can't get it to work (New, sort of) > > > > > > > > > I posted this question a few weeks ago and got two responses asking me > > > to provide more accurate info about my setup. So here it is. I hope > > > this is good enough b/c this is as close as I am allowed to get to > > > reality... > > > > > > Does anyone know how to get ftp working on Kerberos V5. I can > > > connect > > > > to the ftp server but I fail to authenticate. I keep getting an error > > > > message that "No principal in keytab matches desired name". But my > > > > keytab file appears correct. In fact, telnet and rsh are working. > > > > The only thing that doesn't work is ftp. I have tried removing the > > > > ftp entry from my keytab file (supposedly some versions of kerberos > > > > will not work with ftp/host; only host/host) and I connect using the > > > > FQDN (also heard ftp is qwerky about FQDNs) but I get exactly the same > > > > problems. I have tried everything and poured over all the docs I could > > > > get my hands on to no avail. I suspect it's something stupid I am > > > > overlooking or maybe there's some obscure work around. Anyway, my > > > > boss really wants this implemented and I am stumped. Anyone out there > > > > got any ideas? ANY HELP WILL BE GREATLY APPRECIATED! > > > > > > > > I PASTED THE ERROR AND MY KEYTAB FILE BELOW: > > > > > > > > [EMAIL PROTECTED] /usr/kerberos/krb5-1.2.8/src/appl/gssftp/ftp/ftp > > > > sleepy.seven.dwarfs.com > > > > Connected to sleepy.seven.dwarfs.com > > > > 220 emssyb1 FTP server (Version 5.60) ready. > > > > 334 Using authentication type GSSAPI; ADAT must follow > > > > GSSAPI accepted as authentication type > > > > GSSAPI error major: Miscellaneous failure > > > > GSSAPI error minor: No principal in keytab matches desired name > > > > GSSAPI error: acquiring credentials > > > > GSSAPI ADAT failed > > > > GSSAPI authentication failed > > > > > > > > emssyb1:/>/usr/kerberos/krb5-1.2.8/src/clients/klist/klist -k > > > > Keytab name: FILE:/etc/krb5.keytab > > > > KVNO Principal > > > > ---- -------------------------------------------------------------------------- > > > > 3 ftp/[EMAIL PROTECTED] > > > > 3 ftp/[EMAIL PROTECTED] > > > > 3 host/[EMAIL PROTECTED] > > > > 3 host/[EMAIL PROTECTED] > > > > 3 telnet/[EMAIL PROTECTED] > > > > 3 telnet/[EMAIL PROTECTED] > > > > > > ...Now someone (Ken Hornstein) suggested that I turn on logging for > > > ftpd to log to the syslog. This was supposed to give me more > > > information about the error. I now have ftpd logging to syslog but no > > > new info; the same error is showing up in the syslog now. > > > ________________________________________________ > > > Kerberos mailing list [EMAIL PROTECTED] > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > -- > > > > Douglas E. Engert <[EMAIL PROTECTED]> > > Argonne National Laboratory > > 9700 South Cass Avenue > > Argonne, Illinois 60439 > > (630) 252-5444 > > ________________________________________________ > > Kerberos mailing list [EMAIL PROTECTED] > > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
