GSSAPI / Kerberos ticket authentication issues

Mon, 16 Nov 2009 06:08:06 -0800 

All,
        I'm trying to configure my RHEL5 servers to perform GSSAPI
authentication via gssftp and ssh.  I've enabled the gssftp service and
GSSAPIAuthentication (in ssh).  Everything works properly with Kerberos
tickets over the "hostname" IP address (as well as any CNAMEs for it).
However, when I try to connect to a secondary IP address on the same
system, GSSAPI authentication fails.  I have host principals in the
keytab for all hostnames on the system and /etc/hosts contains all the
appropriate host / IP entries.

        Example:
                $ kinit
                $ ftp -n -i hostname    --> Works properly
                ...
                334 Using authentication type GSSAPI; ADAT must follow
                GSSAPI accepted as authentication type
                GSSAPI authentication succeeded
                Remote system type is UNIX.
                Using binary mode to transfer files.
                ftp> quote user username
                232 GSSAPI user [email protected] is authorized as
username

                $ ftp -n -i hostname-alt        --> Doesn't work.
                334 Using authentication type GSSAPI; ADAT must follow
                GSSAPI accepted as authentication type
                GSSAPI error major: Unspecified GSS failure.  Minor code
may provide more information
                GSSAPI error minor: Unknown code krb5 144
                GSSAPI error: accepting context
                GSSAPI ADAT failed
                GSSAPI authentication failed
                334 Using authentication type KERBEROS_V4; ADAT must
follow
                KERBEROS_V4 accepted as authentication type
                Kerberos V4 krb_mk_req failed: You have no tickets
cached
                Remote system type is UNIX.
                Using binary mode to transfer files.
                ftp> quote user username
                331 Password required for username.

        Code 144 is "wrong principal in request" but I can't for the
life of me figure out why.

        Running klist -k /etc/krb5.keytab on the target server shows:
                Keytab name: FILE:/etc/krb5.keytab
                KVNO Principal
                ----
------------------------------------------------------------------------
--
                  10 host/[email protected]
                  10 host/[email protected]
                  10 host/[email protected]
                  10 host/[email protected]
                   6 host/[email protected]
                   6 host/[email protected]
                   6 host/[email protected]
                   6 host/[email protected]

        Checking both of these host principals in our kerberos database
shows that they are all valid.

        Running a klist on my ticket cache on the source system shows:
                $ klist
                Ticket cache: FILE:/tmp/krb5cc_62548_AdrweK
                Default principal: [email protected]

                Valid starting     Expires            Service principal
                11/16/09 08:50:05  11/17/09 08:50:05
krbtgt/[email protected]
                11/16/09 08:50:34  11/17/09 08:50:05
host/[email protected]
                11/16/09 08:50:40  11/17/09 08:50:05
host/[email protected]


                Kerberos 4 ticket cache: /tmp/tkt62548
                klist: You have no tickets cached

        Any assistance with this would be greatly appreciated.

Thanks in advance,
--Maarten

________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to